3f0d103c7b65731e949d7d6852d055d5493e0f90fc7a2c9b8b6fc03848428e5f

Analysis

max time kernel
58s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Younx Tweaker.bat
Size

360KB
MD5

cef38ae22f6abf2e7f762bdcfc53299e
SHA1

b18d33e0f71072116087d16feb11de85b117356f
SHA256

3f0d103c7b65731e949d7d6852d055d5493e0f90fc7a2c9b8b6fc03848428e5f
SHA512

b603167763b87b2a73c421b3ca27ee6c1d3b0a2184077d0e0740de2e4468e1a1a0047e13b3963d544e2b534e7bf6d085d03c001a694c50045e38539267c45664
SSDEEP

3072:0tlOmFv3O4tht1MF+VRtn+quJazVPCZ7dAIr:0tlvAqzzVWz

Score

10^/10

discovery evasion execution exploit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	reg.exe

Possible privilege escalation attempt 9 IoCs

exploit

pid	Process
3752	icacls.exe
5064	icacls.exe
1676	icacls.exe
3996	icacls.exe
3860	takeown.exe
2520	takeown.exe
4792	takeown.exe
3952	icacls.exe
940	icacls.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\audiodg.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\audiodg.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions\IoPriority = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\PagePriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\IoPriority = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\PagePriority = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions\IoPriority = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions\IoPriority = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe

Uses Session Manager for persistence 2 TTPs 2 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SETUPEXECUTE = 0000	reg.exe

Modifies file permissions 1 TTPs 9 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
940	icacls.exe
2520	takeown.exe
5064	icacls.exe
1676	icacls.exe
3952	icacls.exe
3996	icacls.exe
3860	takeown.exe
3752	icacls.exe
4792	takeown.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	takeown.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4268	sc.exe
5000	sc.exe
4116	sc.exe
3104	sc.exe
1920	sc.exe
576	sc.exe
1036	sc.exe
4704	sc.exe
1596	sc.exe
4792	sc.exe
2196	sc.exe
1064	sc.exe
488	sc.exe
1068	sc.exe
2400	sc.exe
1572	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
1428	timeout.exe
4892	timeout.exe
688	timeout.exe
1980	timeout.exe
4828	timeout.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\FolderType = "NotSpecified"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{e88865ea-0e1c-4e20-9aa6-edcd0212c87c}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\FolderType = "NotSpecified"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{e88865ea-0e1c-4e20-9aa6-edcd0212c87c}\System.IsPinnedToNameSpaceTree = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2324	powershell.exe
2324	powershell.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeShutdownPrivilege	3912	svchost.exe
Token: SeCreatePagefilePrivilege	3912	svchost.exe
Token: SeIncreaseQuotaPrivilege	4644	WMIC.exe
Token: SeSecurityPrivilege	4644	WMIC.exe
Token: SeTakeOwnershipPrivilege	4644	WMIC.exe
Token: SeLoadDriverPrivilege	4644	WMIC.exe
Token: SeSystemProfilePrivilege	4644	WMIC.exe
Token: SeSystemtimePrivilege	4644	WMIC.exe
Token: SeProfSingleProcessPrivilege	4644	WMIC.exe
Token: SeIncBasePriorityPrivilege	4644	WMIC.exe
Token: SeCreatePagefilePrivilege	4644	WMIC.exe
Token: SeBackupPrivilege	4644	WMIC.exe
Token: SeRestorePrivilege	4644	WMIC.exe
Token: SeShutdownPrivilege	4644	WMIC.exe
Token: SeDebugPrivilege	4644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4644	WMIC.exe
Token: SeRemoteShutdownPrivilege	4644	WMIC.exe
Token: SeUndockPrivilege	4644	WMIC.exe
Token: SeManageVolumePrivilege	4644	WMIC.exe
Token: 33	4644	WMIC.exe
Token: 34	4644	WMIC.exe
Token: 35	4644	WMIC.exe
Token: 36	4644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4644	WMIC.exe
Token: SeSecurityPrivilege	4644	WMIC.exe
Token: SeTakeOwnershipPrivilege	4644	WMIC.exe
Token: SeLoadDriverPrivilege	4644	WMIC.exe
Token: SeSystemProfilePrivilege	4644	WMIC.exe
Token: SeSystemtimePrivilege	4644	WMIC.exe
Token: SeProfSingleProcessPrivilege	4644	WMIC.exe
Token: SeIncBasePriorityPrivilege	4644	WMIC.exe
Token: SeCreatePagefilePrivilege	4644	WMIC.exe
Token: SeBackupPrivilege	4644	WMIC.exe
Token: SeRestorePrivilege	4644	WMIC.exe
Token: SeShutdownPrivilege	4644	WMIC.exe
Token: SeDebugPrivilege	4644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4644	WMIC.exe
Token: SeRemoteShutdownPrivilege	4644	WMIC.exe
Token: SeUndockPrivilege	4644	WMIC.exe
Token: SeManageVolumePrivilege	4644	WMIC.exe
Token: 33	4644	WMIC.exe
Token: 34	4644	WMIC.exe
Token: 35	4644	WMIC.exe
Token: 36	4644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	972	WMIC.exe
Token: SeSecurityPrivilege	972	WMIC.exe
Token: SeTakeOwnershipPrivilege	972	WMIC.exe
Token: SeLoadDriverPrivilege	972	WMIC.exe
Token: SeSystemProfilePrivilege	972	WMIC.exe
Token: SeSystemtimePrivilege	972	WMIC.exe
Token: SeProfSingleProcessPrivilege	972	WMIC.exe
Token: SeIncBasePriorityPrivilege	972	WMIC.exe
Token: SeCreatePagefilePrivilege	972	WMIC.exe
Token: SeBackupPrivilege	972	WMIC.exe
Token: SeRestorePrivilege	972	WMIC.exe
Token: SeShutdownPrivilege	972	WMIC.exe
Token: SeDebugPrivilege	972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	972	WMIC.exe
Token: SeRemoteShutdownPrivilege	972	WMIC.exe
Token: SeUndockPrivilege	972	WMIC.exe
Token: SeManageVolumePrivilege	972	WMIC.exe
Token: 33	972	WMIC.exe
Token: 34	972	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4436	4664	cmd.exe	80
PID 4664 wrote to memory of 4436	4664	cmd.exe	80
PID 4664 wrote to memory of 4948	4664	cmd.exe	81
PID 4664 wrote to memory of 4948	4664	cmd.exe	81
PID 4664 wrote to memory of 2612	4664	cmd.exe	82
PID 4664 wrote to memory of 2612	4664	cmd.exe	82
PID 4664 wrote to memory of 3036	4664	cmd.exe	83
PID 4664 wrote to memory of 3036	4664	cmd.exe	83
PID 4664 wrote to memory of 2324	4664	cmd.exe	84
PID 4664 wrote to memory of 2324	4664	cmd.exe	84
PID 4664 wrote to memory of 1428	4664	cmd.exe	88
PID 4664 wrote to memory of 1428	4664	cmd.exe	88
PID 4664 wrote to memory of 1736	4664	cmd.exe	89
PID 4664 wrote to memory of 1736	4664	cmd.exe	89
PID 4664 wrote to memory of 1068	4664	cmd.exe	90
PID 4664 wrote to memory of 1068	4664	cmd.exe	90
PID 4664 wrote to memory of 3324	4664	cmd.exe	91
PID 4664 wrote to memory of 3324	4664	cmd.exe	91
PID 4664 wrote to memory of 1064	4664	cmd.exe	92
PID 4664 wrote to memory of 1064	4664	cmd.exe	92
PID 4664 wrote to memory of 2956	4664	cmd.exe	93
PID 4664 wrote to memory of 2956	4664	cmd.exe	93
PID 4664 wrote to memory of 692	4664	cmd.exe	94
PID 4664 wrote to memory of 692	4664	cmd.exe	94
PID 4664 wrote to memory of 2080	4664	cmd.exe	95
PID 4664 wrote to memory of 2080	4664	cmd.exe	95
PID 4664 wrote to memory of 1684	4664	cmd.exe	96
PID 4664 wrote to memory of 1684	4664	cmd.exe	96
PID 4664 wrote to memory of 2480	4664	cmd.exe	97
PID 4664 wrote to memory of 2480	4664	cmd.exe	97
PID 4664 wrote to memory of 2136	4664	cmd.exe	98
PID 4664 wrote to memory of 2136	4664	cmd.exe	98
PID 4664 wrote to memory of 3684	4664	cmd.exe	99
PID 4664 wrote to memory of 3684	4664	cmd.exe	99
PID 4664 wrote to memory of 2908	4664	cmd.exe	100
PID 4664 wrote to memory of 2908	4664	cmd.exe	100
PID 4664 wrote to memory of 1528	4664	cmd.exe	101
PID 4664 wrote to memory of 1528	4664	cmd.exe	101
PID 4664 wrote to memory of 4900	4664	cmd.exe	102
PID 4664 wrote to memory of 4900	4664	cmd.exe	102
PID 4664 wrote to memory of 8	4664	cmd.exe	103
PID 4664 wrote to memory of 8	4664	cmd.exe	103
PID 4664 wrote to memory of 4724	4664	cmd.exe	104
PID 4664 wrote to memory of 4724	4664	cmd.exe	104
PID 4664 wrote to memory of 3912	4664	cmd.exe	105
PID 4664 wrote to memory of 3912	4664	cmd.exe	105
PID 4664 wrote to memory of 3332	4664	cmd.exe	106
PID 4664 wrote to memory of 3332	4664	cmd.exe	106
PID 4664 wrote to memory of 328	4664	cmd.exe	107
PID 4664 wrote to memory of 328	4664	cmd.exe	107
PID 4664 wrote to memory of 4100	4664	cmd.exe	108
PID 4664 wrote to memory of 4100	4664	cmd.exe	108
PID 4664 wrote to memory of 2836	4664	cmd.exe	109
PID 4664 wrote to memory of 2836	4664	cmd.exe	109
PID 4664 wrote to memory of 3308	4664	cmd.exe	110
PID 4664 wrote to memory of 3308	4664	cmd.exe	110
PID 4664 wrote to memory of 2848	4664	cmd.exe	111
PID 4664 wrote to memory of 2848	4664	cmd.exe	111
PID 4664 wrote to memory of 2068	4664	cmd.exe	112
PID 4664 wrote to memory of 2068	4664	cmd.exe	112
PID 4664 wrote to memory of 400	4664	cmd.exe	113
PID 4664 wrote to memory of 400	4664	cmd.exe	113
PID 4664 wrote to memory of 3032	4664	cmd.exe	114
PID 4664 wrote to memory of 3032	4664	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Younx Tweaker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4436
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:4948
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\system32\timeout.exe
  timeout /T 2 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:1428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "DisableAGPSupport" /t REG_DWORD /d "0" /f
  2⤵
  PID:1736
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "UseNonLocalVidMem" /t REG_DWORD /d "1" /f
  2⤵
  PID:1068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "DisableDDSCAPSInDDSD" /t REG_DWORD /d "0" /f
  2⤵
  PID:3324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "EmulatePointSprites" /t REG_DWORD /d "0" /f
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "EmulateStateBlocks" /t REG_DWORD /d "0" /f
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "DisableAGPSupport" /t REG_DWORD /d "0" /f
  2⤵
  PID:692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "UseNonLocalVidMem" /t REG_DWORD /d "1" /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "DisableDDSCAPSInDDSD" /t REG_DWORD /d "0" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "EmulatePointSprites" /t REG_DWORD /d "0" /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "EmulateStateBlocks" /t REG_DWORD /d "0" /f
  2⤵
  PID:2136
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_PREEMPTION_MODE" /t REG_DWORD /d "3" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_FRAME_LATENCY_WAITABLE_OBJECT" /t REG_DWORD /d "1" /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_SWAP_CHAIN_WAITABLE_OBJECT" /t REG_DWORD /d "1" /f
  2⤵
  PID:1528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_FORCE_FLIP_DISCARD" /t REG_DWORD /d "1" /f
  2⤵
  PID:4900
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_SWAP_CHAIN_SCALE" /t REG_DWORD /d "1" /f
  2⤵
  PID:8
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_SWAP_CHAIN_ALLOW_MODE_SWITCH" /t REG_DWORD /d "1" /f
  2⤵
  PID:4724
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_SWAP_CHAIN_FULLSCREEN_FLIP_MODE" /t REG_DWORD /d "1" /f
  2⤵
  PID:3912
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_DISABLE_DWM_THROTTLING" /t REG_DWORD /d "1" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_FORCE_FLIP_SEQUENTIAL" /t REG_DWORD /d "1" /f
  2⤵
  PID:328
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_FORCE_FULLSCREEN_FLIP_MODE" /t REG_DWORD /d "3" /f
  2⤵
  PID:4100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_MAX_FRAME_LATENCY" /t REG_DWORD /d "2" /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX" /v "DXGI_USE_OPTIMIZED_SWAP_CHAIN" /t REG_DWORD /d "1" /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "CreateGdiPrimaryOnSlaveGPU" /t REG_DWORD /d "1" /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DriverSupportsCddDwmInterop" /t REG_DWORD /d "1" /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkCddSyncDxAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkCddSyncGPUAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkCddWaitForVerticalBlankEvent" /t REG_DWORD /d "1" /f
  2⤵
  PID:72
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkCreateSwapChain" /t REG_DWORD /d "1" /f
  2⤵
  PID:3352
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkFreeGpuVirtualAddress" /t REG_DWORD /d "1" /f
  2⤵
  PID:3680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkOpenSwapChain" /t REG_DWORD /d "1" /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkShareSwapChainObject" /t REG_DWORD /d "1" /f
  2⤵
  PID:1092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkWaitForVerticalBlankEvent" /t REG_DWORD /d "1" /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkWaitForVerticalBlankEvent2" /t REG_DWORD /d "1" /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "SwapChainBackBuffer" /t REG_DWORD /d "1" /f
  2⤵
  PID:4844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "TdrResetFromTimeoutAsync" /t REG_DWORD /d "1" /f
  2⤵
  PID:2336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "CpuCoresAlways" /t REG_DWORD /d "18" /f
  2⤵
  PID:3908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "CpuUtilization" /t REG_DWORD /d "256" /f
  2⤵
  PID:448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "LatencyPerformance" /t REG_DWORD /d "256" /f
  2⤵
  PID:1908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "GpuPerformance" /t REG_DWORD /d "256" /f
  2⤵
  PID:3112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "RenderingSpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "RenderingPerformance" /t REG_DWORD /d "256" /f
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "GpuMax" /t REG_DWORD /d "256" /f
  2⤵
  PID:688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "MaxPerformance" /t REG_DWORD /d "256" /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "MinPerformance" /t REG_DWORD /d "256" /f
  2⤵
  PID:3348
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "PerformancePriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:2344
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "PerformanceSpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:1952
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "GpuMaxPerformance" /t REG_DWORD /d "256" /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "CpuMaxPerformance" /t REG_DWORD /d "256" /f
  2⤵
  PID:5060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "GpuAccelerating" /t REG_DWORD /d "256" /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "GpuSpeed" /t REG_DWORD /d "256" /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /ve /t REG_SZ /d "True" /f
  2⤵
  PID:1692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "LatencySpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "RenderingPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:3668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "LatencyPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:3040
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "CpuSpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "GpuRenderingPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:4172
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "RenderingSpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\DirectX\GraphicsSettings" /v "SpreadPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:4480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX\{39A262FC-984B-11ED-9501-806E6F6E6963}" /v "GPMinCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX\{39A262FE-984B-11ED-9501-806E6F6E6963}" /v "GPUMaxCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:3548
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectX\{39A262FE-984B-11ED-9501-806E6F6E6963}" /v "GPUMinCores1" /t REG_DWORD /d "0" /f
  2⤵
  PID:3428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "DisableAGPSupport" /t Reg_DWORD /d "0" /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "DisableAGPSupport" /t Reg_DWORD /d "0" /f
  2⤵
  PID:1776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "UseNonLocalVidMem" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1228
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "UseNonLocalVidMem" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "UseNonLocalVidMem" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4732
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D" /v "UseNonLocalVidMem" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4780
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "DisableDDSCAPSInDDSD" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "DisableDDSCAPSInDDSD" /t Reg_DWORD /d "0" /f
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "EmulationOnly" /t Reg_DWORD /d "0" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "EmulationOnly" /t Reg_DWORD /d "0" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "EmulatePointSprites" /t Reg_DWORD /d "0" /f
  2⤵
  PID:3904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "EmulatePointSprites" /t Reg_DWORD /d "0" /f
  2⤵
  PID:2088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D\Drivers" /v "ForceRgbRasterizer" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers" /v "ForceRgbRasterizer" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "EmulateStateBlocks" /t Reg_DWORD /d "0" /f
  2⤵
  PID:3128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "EmulateStateBlocks" /t Reg_DWORD /d "0" /f
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "EnableDebugging" /t Reg_DWORD /d "0" /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "FullDebug" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4048
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "DisableDM" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "EnableMultimonDebugging" /t Reg_DWORD /d "0" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "LoadDebugRuntime" /t Reg_DWORD /d "0" /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D\Drivers" /v "EnumReference" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers" /v "EnumReference" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3452
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D\Drivers" /v "EnumSeparateMMX" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers" /v "EnumSeparateMMX" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D\Drivers" /v "EnumRamp" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers" /v "EnumRamp" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D\Drivers" /v "EnumNullDevice" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers" /v "EnumNullDevice" /t Reg_DWORD /d "1" /f
  2⤵
  PID:940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "FewVertices" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D" /v "FewVertices" /t Reg_DWORD /d "1" /f
  2⤵
  PID:5064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "DisableMMX" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "DisableMMX" /t Reg_DWORD /d "0" /f
  2⤵
  PID:2452
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "DisableMMX" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D" /v "DisableMMX" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "MMX Fast Path" /t Reg_DWORD /d "1" /f
  2⤵
  PID:840
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D" /v "MMX Fast Path" /t Reg_DWORD /d "1" /f
  2⤵
  PID:2388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "MMXFastPath" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D" /v "MMXFastPath" /t Reg_DWORD /d "1" /f
  2⤵
  PID:992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "UseMMXForRGB" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D" /v "UseMMXForRGB" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D\Drivers" /v "UseMMXForRGB" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers" /v "UseMMXForRGB" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D\Drivers" /v "EnumSeparateMMX" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3760
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers" /v "EnumSeparateMMX" /t Reg_DWORD /d "1" /f
  2⤵
  PID:900
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\DirectDraw" /v "ForceNoSysLock" /t Reg_DWORD /d "0" /f
  2⤵
  PID:3420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw" /v "ForceNoSysLock" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4516
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "DisableVidMemVBs" /t REG_DWORD /d "0" /f
  2⤵
  PID:1628
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "MMX Fast Path" /t REG_DWORD /d "1" /f
  2⤵
  PID:1012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D" /v "FlipNoVsync" /t REG_DWORD /d "1" /f
  2⤵
  PID:3124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Direct3D\Drivers" /v "SoftwareOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:1096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchedMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:2404
- C:\Windows\system32\timeout.exe
  timeout /T 2 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:4892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PassiveIntRealTimeWorkerPriority" /t REG_DWORD /d "18" /f
  2⤵
  PID:2524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\KernelVelocity" /v "DisableFGBoostDecay" /t REG_DWORD /d "1" /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  - Sets file execution options in registry
  PID:3192
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Sets file execution options in registry
  PID:32
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:1172
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:1312
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:4152
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  - Sets file execution options in registry
  PID:1404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Sets file execution options in registry
  PID:788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:224
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:4336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:4164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:4908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\audiodg.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "2" /f
  2⤵
  - Sets file execution options in registry
  PID:3292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\audiodg.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "2" /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  - Sets file execution options in registry
  PID:2292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Sets file execution options in registry
  PID:3596
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:3412
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:1600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:928
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  - Sets file execution options in registry
  PID:2436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Sets file execution options in registry
  PID:4984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:2396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:1720
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:1952
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Sets file execution options in registry
  PID:1584
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:5060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Sets file execution options in registry
  PID:1912
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "AllowRemoteDASD" /t REG_DWORD /d "0" /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PassiveIntRealTimeWorkerPriority" /t REG_DWORD /d "24" /f
  2⤵
  PID:2992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "countoperations" /t REG_DWORD /d "0" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:4284
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PowerSavingTweaks" /t REG_DWORD /d "0" /f
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableWriteCombining" /t REG_DWORD /d "1" /f
  2⤵
  PID:3432
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableRuntimePowerManagement" /t REG_DWORD /d "1" /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PrimaryPushBufferSize" /t REG_DWORD /d "1" /f
  2⤵
  PID:4392
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "FlTransitionLatency" /t REG_DWORD /d "0" /f
  2⤵
  PID:4296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "D3PCLatency" /t REG_DWORD /d "0" /f
  2⤵
  PID:1444
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMDeepLlEntryLatencyUsec" /t REG_DWORD /d "0" /f
  2⤵
  PID:3428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PciLatencyTimerControl" /t REG_DWORD /d "32" /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Node3DLowLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:1776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LOWLATENCY" /t REG_DWORD /d "1" /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RmDisableRegistryCaching" /t REG_DWORD /d "1" /f
  2⤵
  PID:1000
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMDisablePostL2Compression" /t REG_DWORD /d "1" /f
  2⤵
  PID:1296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:2424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:3904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:2088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f
  2⤵
  PID:4076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:4904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f
  2⤵
  PID:2056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f
  2⤵
  PID:3272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:2324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:2288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "0" /f
  2⤵
  PID:1580
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Latency" /t REG_DWORD /d "0" /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "TransitionLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "0" /f
  2⤵
  PID:3132
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MonitorLatencyTolerance" /t REG_DWORD /d "0" /f
  2⤵
  PID:2256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:4680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnablePreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "TdrLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:3528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "UseGpuTimer" /t REG_DWORD /d "1" /f
  2⤵
  PID:3996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PlatformSupportMiracast" /t REG_DWORD /d "1" /f
  2⤵
  PID:1596
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f
  2⤵
  PID:664
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "HwSchMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "ValueMax" /t REG_DWORD /d "0" /f
  2⤵
  PID:2408
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "ValueMin" /t REG_DWORD /d "0" /f
  2⤵
  PID:2388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuPriorityContol" /t REG_DWORD /d "1" /f
  2⤵
  PID:488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuThreadCount" /t REG_DWORD /d "12" /f
  2⤵
  PID:656
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuThreadSeperation" /t REG_DWORD /d "0" /f
  2⤵
  PID:1036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:1056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "IOPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:2028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuPrioritySeperation" /t REG_DWORD /d "0" /f
  2⤵
  PID:464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMHdcpKeyGlobZero" /t REG_DWORD /d "1" /f
  2⤵
  PID:1520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PowerLimitEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Throttle Rate" /t REG_DWORD /d "1" /f
  2⤵
  PID:4660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Clock Rate" /t REG_DWORD /d "5000" /f
  2⤵
  PID:2944
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Priority" /t REG_DWORD /d "6" /f
  2⤵
  PID:4900
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
  2⤵
  PID:4628
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Affinity" /t REG_DWORD /d "0" /f
  2⤵
  PID:1652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Background Only" /t REG_SZ /d "False" /f
  2⤵
  PID:4724
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "GPU Priority" /t REG_DWORD /d "3" /f
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Scheduling Category" /t REG_SZ /d "High" /f
  2⤵
  PID:1996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "GpuPriorityClass" /t REG_DWORD /d "3" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuPriorityClass" /t REG_DWORD /d "3" /f
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "IOPriorityClass" /t REG_DWORD /d "0" /f
  2⤵
  PID:4100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "GpuSpeed" /t REG_DWORD /d "100" /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /ve /t REG_SZ /d "True" /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuCoresAlways" /t REG_DWORD /d "18" /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuUtilization" /t REG_DWORD /d "100" /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencyPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "GpuPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RenderingSpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:2128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RenderingPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencySpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RenderingPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:4336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencyPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuSpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:1048
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "GpuRenderingPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:3784
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "SpreadPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "GpuMax" /t REG_DWORD /d "100" /f
  2⤵
  PID:3908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MaxPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:1876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MinPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:2292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PerformancePriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:3112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PerformanceSpread" /t REG_DWORD /d "0" /f
  2⤵
  PID:4644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "GpuMaxPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:3416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuMaxPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:1512
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "GpuAccelerating" /t REG_DWORD /d "100" /f
  2⤵
  PID:3888
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CpuThreadPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RmDistRenderMax" /t REG_DWORD /d "1" /f
  2⤵
  PID:3008
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMEnableHdmi2" /t REG_DWORD /d "1" /f
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMEnableOveclockingAllPstates" /t REG_DWORD /d "1" /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableOverclockedPstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:4280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMForceLockedClocksMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMEnableClk" /t REG_DWORD /d "1" /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnablePerformanceMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMMaximizePteTableSize" /t REG_DWORD /d "1" /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "UseUncachedPCIMappings" /t REG_DWORD /d "1" /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMEnableVmm" /t REG_DWORD /d "1" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMGpuCacheEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:4284
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableAsyncPstates" /t REG_DWORD /d "1" /f
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableForceIgpuDgpuFromUI" /t REG_DWORD /d "1" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableCoreVoltage" /t REG_DWORD /d "1" /f
  2⤵
  PID:3432
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMNoECCFuseCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:4392
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableComputeReset" /t REG_DWORD /d "1" /f
  2⤵
  PID:1488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMOverrideP0Gpc2ClkMaxFreqKHz" /t REG_DWORD /d "1" /f
  2⤵
  PID:1444
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableDx12OnMsHybrid" /t REG_DWORD /d "1" /f
  2⤵
  PID:3428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableDx12OnOptimus" /t REG_DWORD /d "1" /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableHybridPerfSLI" /t REG_DWORD /d "1" /f
  2⤵
  PID:1776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMGsyncTswapRdyHi" /t REG_DWORD /d "1" /f
  2⤵
  PID:4744
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LimitSegmentsTo4GB" /t REG_DWORD /d "0" /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Disable4GBTAGLimit" /t REG_DWORD /d "1" /f
  2⤵
  PID:1296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableComputeAsync" /t REG_DWORD /d "1" /f
  2⤵
  PID:4436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnableMClkSlowdown" /t REG_DWORD /d "0" /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RMClkSlowDown" /t REG_DWORD /d "0" /f
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableKmRenderBoost" /t REG_DWORD /d "0" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableKmRenderStage" /t REG_DWORD /d "0" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableKmRender" /t REG_DWORD /d "0" /f
  2⤵
  PID:3904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2ReserveVASpaceSizeForNvFBC" /t REG_DWORD /d "1" /f
  2⤵
  PID:2088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2InvalidatePDEsForReserveVA" /t REG_DWORD /d "1" /f
  2⤵
  PID:4076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2EnableSLI" /t REG_DWORD /d "1" /f
  2⤵
  PID:4904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2DisableRenderGDI" /t REG_DWORD /d "0" /f
  2⤵
  PID:2056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2ForceInvalidateAllCpuCache" /t REG_DWORD /d "0" /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2Use64KBPages" /t REG_DWORD /d "1" /f
  2⤵
  PID:3272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2EnableGdiBroadcast" /t REG_DWORD /d "1" /f
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2EnableSLILinkMirroredWAR" /t REG_DWORD /d "1" /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2OSDualPteSupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2DisableSlowCePagingWar" /t REG_DWORD /d "1" /f
  2⤵
  PID:2288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2ReplaceKindAtTransferVirtual" /t REG_DWORD /d "1" /f
  2⤵
  PID:4012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2DisableBasicPrimeForGPUVA" /t REG_DWORD /d "1" /f
  2⤵
  PID:1580
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2DisableSLIVirtualChannels" /t REG_DWORD /d "0" /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2EnableFermiWDDMv2" /t REG_DWORD /d "1" /f
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2ForceEngineResetForPageFault" /t REG_DWORD /d "1" /f
  2⤵
  PID:3132
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "WDDMv2KmdHighAddrReserve" /t REG_DWORD /d "1" /f
  2⤵
  PID:800
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CustomizeDuringSetup" /t REG_DWORD /d "1" /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "HiberFileSizePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MfBufferingThreshold" /t REG_DWORD /d "0" /f
  2⤵
  PID:2196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PerfCalculateActualUtilization" /t REG_DWORD /d "0" /f
  2⤵
  PID:3092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "TimerRebaseThresholdOnDripsExit" /t REG_DWORD /d "60" /f
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnergyEstimationDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:840
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "HibernateEnabledDefault" /t REG_DWORD /d "0" /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:1920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "ExitLatency" /t REG_DWORD /d "0" /f
  2⤵
  PID:992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencyToleranceDefault" /t REG_DWORD /d "0" /f
  2⤵
  PID:340
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencyToleranceFSVP" /t REG_DWORD /d "0" /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "0" /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "0" /f
  2⤵
  PID:1056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:2028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "QosManagesIdleProcessors" /t REG_DWORD /d "0" /f
  2⤵
  PID:1968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableVsyncLatencyUpdate" /t REG_DWORD /d "0" /f
  2⤵
  PID:1520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableSensorWatchdog" /t REG_DWORD /d "1" /f
  2⤵
  PID:4660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "InterruptSteeringDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2944
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LowLatencyScalingPercentage" /t REG_DWORD /d "100" /f
  2⤵
  PID:2044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:1652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4724
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:1996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "SleepReliabilityDetailedDiagnostics" /t REG_DWORD /d "0" /f
  2⤵
  PID:4100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LatencyToleranceIdleResiliency" /t REG_DWORD /d "0" /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PowerActionResumingWatchdogTimeout" /t REG_DWORD /d "0" /f
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PowerActionTransitioningWatchdogTimeout" /t REG_DWORD /d "0" /f
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "SourceSettingsVersion" /t REG_DWORD /d "2" /f
  2⤵
  PID:2128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DirectedDripsOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "BootHeteroPolicyOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:224
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MfOverridesDisabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System\Global\NVTweak" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System\NVAPI" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:1048
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "AllowRemoteDASD" /t REG_DWORD /d "0" /f
  2⤵
  PID:3784
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "countoperations" /t REG_DWORD /d "0" /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "DisableBufferedIoInit" /t REG_DWORD /d "0" /f
  2⤵
  PID:3908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "LargeIrpStackLocations" /t REG_DWORD /d "20" /f
  2⤵
  PID:1876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "MediumIrpStackLocations" /t REG_DWORD /d "8" /f
  2⤵
  PID:2292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "IoEnableSessionZeroAccessCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PassiveIntRealTimeWorkerPriority" /t REG_DWORD /d "18" /f
  2⤵
  PID:876
- C:\Windows\system32\timeout.exe
  timeout /T 2 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:688
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\FileHistory" /v "Disabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4016
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MpGears" /v "HeartbeatTrackingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:2344
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
  2⤵
  PID:244
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DODownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /v "AutoDownload" /t REG_DWORD /d "2" /f
  2⤵
  PID:436
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "01" /t REG_DWORD /d "0" /f
  2⤵
  PID:3448
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\StorageSense" /v "AllowStorageSenseGlobal" /t REG_DWORD /d "0" /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\StorageSense" /v "AllowStorageSenseTemporaryFilesCleanup" /t REG_DWORD /d "0" /f
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\MiscPolicyInfo" /v "ShippedWithReserves" /t REG_DWORD /d "2" /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PassedPolicy" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f
  2⤵
  PID:3040
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f
  2⤵
  PID:3632
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DITest" /t REG_DWORD /d "0" /f
  2⤵
  PID:4284
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableSnapAssistFlyout" /t REG_DWORD /d "0" /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableSnapBar" /t REG_DWORD /d "0" /f
  2⤵
  PID:3640
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableTaskGroups" /t REG_DWORD /d "0" /f
  2⤵
  PID:1212
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCopilotButton" /t REG_DWORD /d "0" /f
  2⤵
  PID:4392
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\PolicyManager\default\NewsAndInterests\AllowNewsAndInterests" /v "value" /t REG_DWORD /d "0" /f
  2⤵
  PID:3428
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d "1" /f
  2⤵
  PID:4204
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d "1" /f
  2⤵
  PID:4736
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarFlashing" /t REG_DWORD /d "0" /f
  2⤵
  PID:4708
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d "0" /f
  2⤵
  PID:4780
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarSn" /t REG_DWORD /d "0" /f
  2⤵
  PID:2424
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "EnableAutoTray" /t REG_DWORD /d "0" /f
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Windows Search" /v "CortanaConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d "1" /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search" /v "DisableSearch" /t REG_DWORD /d "1" /f
  2⤵
  PID:4092
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "LockScreenAutoLockActive" /t REG_SZ /d "0" /f
  2⤵
  PID:3096
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Lock Screen" /v "SlideshowEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "AicEnabled" /t REG_SZ /d "Anywhere" /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppInstaller" /v "EnableAppInstaller" /t REG_DWORD /d "1" /f
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppInstaller" /v "EnableDefaultSource" /t REG_DWORD /d "1" /f
  2⤵
  PID:3608
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppInstaller" /v "EnableExperimentalFeatures" /t REG_DWORD /d "1" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppInstaller" /v "EnableMicrosoftStoreSource" /t REG_DWORD /d "1" /f
  2⤵
  PID:1480
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppInstaller" /v "EnableMSAppInstallerProtocol" /t REG_DWORD /d "1" /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppInstaller" /v "EnableSettings" /t REG_DWORD /d "1" /f
  2⤵
  PID:3140
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Mobility" /v "OptedIn" /t REG_DWORD /d "0" /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\DeviceSetup" /v "CostedNetworkPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d "1" /f
  2⤵
  PID:3780
- C:\Windows\system32\takeown.exe
  takeown /s UBLNJRHF /u Admin /f "C:\Users\Public\Desktop" /r /d y
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3860
- C:\Windows\system32\icacls.exe
  icacls "C:\Users\Public\Desktop" /inheritance:r
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3752
- C:\Windows\system32\icacls.exe
  icacls "C:\Users\Public\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:940
- C:\Windows\system32\takeown.exe
  takeown /s UBLNJRHF /u Admin /f "C:\Users\Admin\Desktop" /r /d y
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2520
- C:\Windows\system32\icacls.exe
  icacls "C:\Users\Admin\Desktop" /inheritance:r
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5064
- C:\Windows\system32\icacls.exe
  icacls "C:\Users\Admin\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1676
- C:\Windows\system32\takeown.exe
  takeown /s UBLNJRHF /u Admin /f "Z:\Desktop" /r /d y
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Enumerates connected drives
  PID:4792
- C:\Windows\system32\icacls.exe
  icacls "Z:\Desktop" /inheritance:r
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3952
- C:\Windows\system32\icacls.exe
  icacls "Z:\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3996
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
  2⤵
  - Modifies WinLogon for persistence
  PID:1980
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\System32\userinit.exe," /f
  2⤵
  - Modifies WinLogon for persistence
  PID:1384
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
  2⤵
  - Modifies WinLogon for persistence
  PID:784
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v "BootExecute" /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2420
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v "SETUPEXECUTE" /t REG_MULTI_SZ /d "" /f
  2⤵
  - Uses Session Manager for persistence
  PID:1888
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d "1" /f
  2⤵
  PID:4536
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "IconUnderline" /t REG_DWORD /d "2" /f
  2⤵
  PID:1036
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /t REG_DWORD /d "0" /f
  2⤵
  PID:692
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowFrequent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowCloudFilesInQuickAccess" /t REG_DWORD /d "0" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f
  2⤵
  - Modifies registry class
  PID:464
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Classes\CLSID\{e88865ea-0e1c-4e20-9aa6-edcd0212c87c}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies registry class
  PID:3420
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Explorer" /v "HubMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\{f874310e-b6b7-47dc-bc84-b9e6b38f5903}" /f
  2⤵
  PID:4988
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d "1" /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2044
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  PID:652
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SeparateProcess" /t REG_DWORD /d "1" /f
  2⤵
  PID:3540
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
  2⤵
  PID:4724
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SharingWizardOn" /t REG_DWORD /d "0" /f
  2⤵
  PID:3156
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneExpandToCurrentFolder" /t REG_DWORD /d "0" /f
  2⤵
  PID:1996
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "DesktopProcess" /t REG_DWORD /d "1" /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d "No" /f
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v "ConfirmationCheckBoxDoForAll" /t REG_DWORD /d "0" /f
  2⤵
  PID:1916
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v "EnthusiastMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "NoPreviousVersionsPage" /t REG_DWORD /d "1" /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ConfirmFileDelete" /t REG_DWORD /d "1" /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d "1" /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies registry class
  PID:3496
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder" /v "Attributes" /t REG_DWORD /d "2962489444" /f
  2⤵
  - Modifies registry class
  PID:3796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CLASSES_ROOT\Paint.Picture\DefaultIcon" /ve /d "" /f
  2⤵
  - Modifies registry class
  PID:1092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder" /v "Attributes" /t REG_DWORD /d "2962489444" /f
  2⤵
  - Modifies registry class
  PID:232
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Accessibility" /v "Sound on Activation" /t REG_DWORD /d "0" /f
  2⤵
  PID:3312
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Accessibility" /v "Warning Sounds" /t REG_DWORD /d "0" /f
  2⤵
  PID:4908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
  2⤵
  PID:708
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:2336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "MouseWheelRouting" /t REG_DWORD /d 0 /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "2000" /f
  2⤵
  PID:3596
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:4644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "Win8DpiScaling" /t REG_DWORD /d "0" /f
  2⤵
  PID:876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "DpiScalingVer" /t REG_DWORD /d "4096" /f
  2⤵
  PID:3516
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "LastUpdated" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:3416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f
  2⤵
  PID:1512
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
  2⤵
  PID:4984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f
  2⤵
  PID:2396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f
  2⤵
  PID:244
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "Pattern Upgrade" /t REG_SZ /d "TRUE" /f
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\PowerCfg" /v "CurrentPowerPolicy" /t REG_SZ /d "4" /f
  2⤵
  PID:436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f
  2⤵
  - Modifies registry class
  PID:3856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar" /v "ExtraIconsOnMinimized" /t REG_DWORD /d "0" /f
  2⤵
  PID:3668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar" /v "Label" /t REG_DWORD /d "0" /f
  2⤵
  PID:3972
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar" /v "ShowStatus" /t REG_DWORD /d "3" /f
  2⤵
  PID:908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar" /v "Transparency" /t REG_DWORD /d "255" /f
  2⤵
  PID:4172
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\Settings" /v "EnableExpressiveInputShellHotkey" /t REG_DWORD /d 1 /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\Settings" /v "EnableExpressiveInputEmojiMultipleSelection" /t REG_DWORD /d 1 /f
  2⤵
  PID:4480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\Settings" /v "EnableExpressiveInputEmojiMultipleSelection" /t REG_DWORD /d "0" /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1212
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
  2⤵
  PID:4104
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f
  2⤵
  PID:1228
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "InsightsEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "LMDataLoggerEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f
  2⤵
  PID:4736
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator" /v "EchoChars" /t REG_DWORD /d "0" /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator" /v "EchoWords" /t REG_DWORD /d "0" /f
  2⤵
  PID:4948
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator" /v "ErrorNotificationType" /t REG_DWORD /d "0" /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator" /v "PlayAudioCues" /t REG_DWORD /d "0" /f
  2⤵
  PID:3880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator" /v "ReadHints" /t REG_DWORD /d "0" /f
  2⤵
  PID:5052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NarratorHome" /v "AutoStart" /t REG_DWORD /d "0" /f
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NarratorHome" /v "MinimizeType" /t REG_DWORD /d "0" /f
  2⤵
  PID:3904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "EchoModifierKeys" /t REG_DWORD /d "0" /f
  2⤵
  PID:2952
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "EchoToggleKeys" /t REG_DWORD /d "0" /f
  2⤵
  PID:3120
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "WinEnterLaunchEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal" /v "ShareNotificationDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal" /v "MassDeleteNotificationDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\ScreenMagnifier" /v "FollowCaret" /t REG_DWORD /d "0" /f
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\ScreenMagnifier" /v "FollowFocus" /t REG_DWORD /d "0" /f
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\ScreenMagnifier" /v "FollowMouse" /t REG_DWORD /d "0" /f
  2⤵
  PID:236
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\ScreenMagnifier" /v "FollowNarrator" /t REG_DWORD /d "0" /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\ScreenMagnifier" /v "RunningState" /t REG_DWORD /d "0" /f
  2⤵
  PID:2288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shell\USB" /v "NotifyOnUsbErrors" /t REG_DWORD /d "0" /f
  2⤵
  PID:4012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:1580
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationLastUsed" /t REG_DWORD /d "0" /f
  2⤵
  PID:3860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "DisableACIntegration" /t REG_DWORD /d 1 /f
  2⤵
  PID:3752
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "DisableEdgeTarget" /t REG_DWORD /d 1 /f
  2⤵
  PID:940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableAutocorrection" /t REG_DWORD /d 0 /f
  2⤵
  PID:1608
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableAutoShiftEngage" /t REG_DWORD /d 0 /f
  2⤵
  PID:2256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableDesktopModeAutoInvoke" /t REG_DWORD /d 0 /f
  2⤵
  PID:4704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableDoubleTapSpace" /t REG_DWORD /d 0 /f
  2⤵
  PID:4852
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\TabletTip\1.7" /v "EnableDoubleTapSpace" /t REG_DWORD /d "0" /f
  2⤵
  PID:2196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableInkingWithTouch" /t REG_DWORD /d 0 /f
  2⤵
  PID:3092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableKeyAudioFeedback" /t REG_DWORD /d 0 /f
  2⤵
  PID:1428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnablePredictionSpaceInsertion" /t REG_DWORD /d 0 /f
  2⤵
  PID:1980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\TabletTip\1.7" /v "EnablePredictionSpaceInsertion" /t REG_DWORD /d "0" /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableShiftLock" /t REG_DWORD /d 1 /f
  2⤵
  PID:784
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableSpellchecking" /t REG_DWORD /d 0 /f
  2⤵
  PID:488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "EnableTextPrediction" /t REG_DWORD /d 0 /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\TabletTip\1.7" /v "EnableTextPrediction" /t REG_DWORD /d "0" /f
  2⤵
  PID:340
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "HideIPTIPTarget" /t REG_DWORD /d 1 /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "HideIPTIPTouchTarget" /t REG_DWORD /d 1 /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7" /v "IncludeRareChar" /t REG_DWORD /d 0 /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\EmbeddedInkControl" /v "EnableInkingWithTouch" /t REG_DWORD /d 0 /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "LegacyDefaultPrinterMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:2028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Bluetooth" /v "QuickPair" /t REG_DWORD /d "0" /f
  2⤵
  PID:1520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "RomeSdkChannelUserAuthzPolicy" /t REG_DWORD /d 0 /f
  2⤵
  PID:1628
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d 0 /f
  2⤵
  PID:8
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4956
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:792
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:32
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "EnableAutoTray" /t REG_DWORD /d 0 /f
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "AltTabSettings" /t REG_DWORD /d 1 /f
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "HoverSelectDesktops" /t REG_DWORD /d "0" /f
  2⤵
  PID:4152
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d "00000000" /f
  2⤵
  PID:1040
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer" /v ShowRecent /t REG_DWORD /d 0 /f
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer" /v ShowFrequent /t REG_DWORD /d 0 /f
  2⤵
  PID:4184
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DontPrettyPath" /t REG_DWORD /d 1 /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:4164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ExtendedUIHoverTime" /t REG_DWORD /d 196608 /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DontPrettyPath" /t REG_DWORD /d 1 /f
  2⤵
  PID:984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:1048
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d 1 /f
  2⤵
  PID:2084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d 0 /f
  2⤵
  PID:3836
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_DWORD /d 0 /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d 0 /f
  2⤵
  PID:4732
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AllUpView" /v "AllUpView" /t REG_DWORD /d 0 /f
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView" /v "Remove TaskView" /t REG_DWORD /d 1 /f
  2⤵
  PID:5008
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
  2⤵
  PID:3316
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
  2⤵
  PID:928
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
  2⤵
  PID:688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d "0" /f
  2⤵
  PID:4016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4278270938" /f
  2⤵
  PID:132
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "4278332316" /f
  2⤵
  PID:4280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /t REG_BINARY /d "9b9a9900848381006d6b6a004c4a4800363533002625240019191900107c1000" /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarBadges" /t REG_DWORD /d "0" /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "VirtualDesktopTaskbarFilter" /t REG_DWORD /d "0" /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "VirtualDesktopAltTabFilter" /t REG_DWORD /d "0" /f
  2⤵
  PID:436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_SearchFiles" /t REG_DWORD /d "2" /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ServerAdminUI" /t REG_DWORD /d "0" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d "2" /f
  2⤵
  PID:4264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCompColor" /t REG_DWORD /d "1" /f
  2⤵
  PID:908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DontPrettyPath" /t REG_DWORD /d "1" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowInfoTip" /t REG_DWORD /d "1" /f
  2⤵
  PID:1672
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d "0" /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "MapNetDrvBtn" /t REG_DWORD /d "0" /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "WebView" /t REG_DWORD /d "0" /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Filter" /t REG_DWORD /d "0" /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  PID:1776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SeparateProcess" /t REG_DWORD /d "0" /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "AutoCheckSelect" /t REG_DWORD /d "0" /f
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTypeOverlay" /t REG_DWORD /d "1" /f
  2⤵
  PID:2100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowStatusBar" /t REG_DWORD /d "1" /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "StoreAppsOnTaskbar" /t REG_DWORD /d "1" /f
  2⤵
  PID:3108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "OnboardUnpinCortana" /t REG_DWORD /d "1" /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCortanaButton" /t REG_DWORD /d "0" /f
  2⤵
  PID:4324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ReindexedProfile" /t REG_DWORD /d "1" /f
  2⤵
  PID:3120
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "StartMenuInit" /t REG_DWORD /d "13" /f
  2⤵
  PID:3096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarStateLastRun" /t REG_BINARY /d "bc479c6400000000" /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSecondsInSystemClock" /t REG_DWORD /d "1" /f
  2⤵
  PID:4304
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarSi" /t REG_DWORD /d "1" /f
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAcrylicOpacity" /t REG_DWORD /d "0" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ExtendedUIHoverTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:1480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewWatermark" /t REG_DWORD /d "0" /f
  2⤵
  PID:2832
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "StartShownOnUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f
  2⤵
  PID:4528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d "1" /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d "0" /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_NotifyNewApps" /t REG_DWORD /d "0" /f
  2⤵
  PID:3132
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_ShowRun" /t REG_DWORD /d "1" /f
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneShowAllFolders" /t REG_DWORD /d "0" /f
  2⤵
  PID:940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NoNetCrawling" /t REG_DWORD /d "1" /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DITest" /t REG_DWORD /d "0" /f
  2⤵
  PID:4704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "MMTaskbarGlomLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:4792
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
  2⤵
  PID:4808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d "0" /f
  2⤵
  PID:664
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "MMTaskbarMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:3092
- C:\Windows\system32\timeout.exe
  timeout /T 2 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:1980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "CreateGdiPrimaryOnSlaveGPU" /t REG_DWORD /d "1" /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DriverSupportsCddDwmInterop" /t REG_DWORD /d "1" /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkCddSyncDxAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkCddSyncGPUAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:4536
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkCddWaitForVerticalBlankEvent" /t REG_DWORD /d "1" /f
  2⤵
  PID:340
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkCreateSwapChain" /t REG_DWORD /d "1" /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkFreeGpuVirtualAddress" /t REG_DWORD /d "1" /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkOpenSwapChain" /t REG_DWORD /d "1" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkShareSwapChainObject" /t REG_DWORD /d "1" /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkWaitForVerticalBlankEvent" /t REG_DWORD /d "1" /f
  2⤵
  PID:2028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DxgkWaitForVerticalBlankEvent2" /t REG_DWORD /d "1" /f
  2⤵
  PID:1968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED9" /t REG_DWORD /d "1" /f
  2⤵
  PID:1520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED10" /t REG_DWORD /d "1" /f
  2⤵
  PID:1628
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED11" /t REG_DWORD /d "1" /f
  2⤵
  PID:4408
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED12" /t REG_DWORD /d "1" /f
  2⤵
  PID:8
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED13" /t REG_DWORD /d "1" /f
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED14" /t REG_DWORD /d "1" /f
  2⤵
  PID:4956
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED15" /t REG_DWORD /d "1" /f
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED16" /t REG_DWORD /d "1" /f
  2⤵
  PID:4368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED17" /t REG_DWORD /d "1" /f
  2⤵
  PID:4892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED18" /t REG_DWORD /d "1" /f
  2⤵
  PID:3156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED19" /t REG_DWORD /d "1" /f
  2⤵
  PID:1448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED20" /t REG_DWORD /d "1" /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED21" /t REG_DWORD /d "1" /f
  2⤵
  PID:4100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED22" /t REG_DWORD /d "1" /f
  2⤵
  PID:3992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED23" /t REG_DWORD /d "1" /f
  2⤵
  PID:1916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED24" /t REG_DWORD /d "1" /f
  2⤵
  PID:1964
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED25" /t REG_DWORD /d "1" /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED26" /t REG_DWORD /d "1" /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED27" /t REG_DWORD /d "1" /f
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED28" /t REG_DWORD /d "1" /f
  2⤵
  PID:4668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED29" /t REG_DWORD /d "1" /f
  2⤵
  PID:3496
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED30" /t REG_DWORD /d "1" /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_RESERVED31" /t REG_DWORD /d "1" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVA_FILMGRAINBUFFER" /t REG_DWORD /d "1" /f
  2⤵
  PID:4336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "DXVACOMPBUFFER_MAX" /t REG_DWORD /d "8" /f
  2⤵
  PID:4908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MOTIONVECTORBUFFER" /t REG_DWORD /d "4" /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "SwapChainBackBuffer" /t REG_DWORD /d "2" /f
  2⤵
  PID:3292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "TdrResetFromTimeoutAsync" /t REG_DWORD /d "1" /f
  2⤵
  PID:2336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "ObUnsecureGlobalNames" /t REG_MULTI_SZ /d "netfxcustomperfcounters.1.0\0SharedPerfIPCBlock\0Cor_Private_IPCBlock\0Cor_Public_IPCBlock_" /f
  2⤵
  PID:3908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "SeTokenSingletonAttributesConfig" /t REG_DWORD /d "3" /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "obcaseinsensitive" /t REG_DWORD /d "1" /f
  2⤵
  PID:2292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DpcTimeout" /t REG_DWORD /d "0" /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "IdealDpcRate" /t REG_DWORD /d "1" /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DpcWatchdogPeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:1788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "UnlimitDpcQueue" /t REG_DWORD /d "1" /f
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationOptions" /t REG_BINARY /d "002222202220202220000000002000200000000000000000" /f
  2⤵
  PID:3416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationAuditOptions" /t REG_BINARY /d "000000000000202200000000000000200000000000000000" /f
  2⤵
  PID:4544
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "EAFModules" /t REG_SZ /d "" /f
  2⤵
  PID:4016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "PriorityControl" /t REG_DWORD /d "100" /f
  2⤵
  PID:3460
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableOverlappedExecution" /t REG_DWORD /d "0" /f
  2⤵
  PID:4280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "TimeIncrement" /t REG_DWORD /d "2" /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "QuantumLength" /t REG_DWORD /d "15" /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d "1" /f
  2⤵
  PID:3668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MinimumDpcRate" /t REG_DWORD /d "1" /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "AdjustDpcThreshold" /t REG_DWORD /d "0" /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
  2⤵
  PID:4264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "UseNormalStack" /t REG_DWORD /d "1" /f
  2⤵
  PID:908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "UseNewEaBuffering" /t REG_DWORD /d "1" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "StackSubSystemStackSize" /t REG_DWORD /d "65536" /f
  2⤵
  PID:1672
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "SystemResponsivenessReserved" /t REG_DWORD /d "0" /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "EnableUserModeCache" /t REG_DWORD /d "1" /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "EnableLowLatencyIo" /t REG_DWORD /d "1" /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "EnableFsCacheHost" /t REG_DWORD /d "1" /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableSystemPTEWriteBack" /t REG_DWORD /d "1" /f
  2⤵
  PID:1776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelStackSize" /t REG_DWORD /d "8192" /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "PfnMaxLookahead" /t REG_DWORD /d "16" /f
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "LatencyMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "EnableLowMemoryKiller" /t REG_DWORD /d "1" /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CpuRelaxedSpeculation" /t REG_DWORD /d "1" /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableDynamicTick" /t REG_DWORD /d "1" /f
  2⤵
  PID:3108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DynamicTick" /t REG_DWORD /d "0" /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "EnergyDriverPolicy" /t REG_DWORD /d "1" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "EnergyDriverPolicyVideo" /t REG_DWORD /d "1" /f
  2⤵
  PID:4300
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "TimerBResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "TimerMinResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:4324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "TimerReliability" /t REG_DWORD /d "1" /f
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelIoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:3096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableLowQosTimerResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "SerializeTimerExpiration" /t REG_DWORD /d "2" /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "TimerCheckFlags" /t REG_DWORD /d "8" /f
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "SplitLargeCaches" /t REG_DWORD /d "1" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "SchedulerAssistThreadFlagOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "EnablePerCpuClockTickScheduling" /t REG_DWORD /d "1" /f
  2⤵
  PID:2288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CacheErrataOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:2832
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CacheAwareScheduling" /t REG_DWORD /d "5" /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "ForceApicPhysicalDestinationMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:4528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "TscInvariant" /t REG_DWORD /d "1" /f
  2⤵
  PID:3860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "ForceClockSync" /t REG_DWORD /d "1" /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "TscSyncPolicy" /t REG_DWORD /d "2" /f
  2⤵
  PID:4968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "TscAdjustDisable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1608
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "ContextNoPatchMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:3132
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DebugPollInterval" /t REG_DWORD /d "1000" /f
  2⤵
  PID:4792
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RebalanceMinPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:4808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MaxDynamicTickDuration" /t REG_DWORD /d "10" /f
  2⤵
  PID:1384
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MaximumDpcQueueDepth" /t REG_DWORD /d "1" /f
  2⤵
  PID:664
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MaximumDpcRate" /t REG_DWORD /d "1" /f
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MaximumSharedReadyQueueSize" /t REG_DWORD /d "128" /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "BufferSize" /t REG_DWORD /d "32" /f
  2⤵
  PID:4916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "IoQueueWorkItem" /t REG_DWORD /d "32" /f
  2⤵
  PID:2388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "IoQueueWorkItemToNode" /t REG_DWORD /d "32" /f
  2⤵
  PID:2420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "IoQueueWorkItemEx" /t REG_DWORD /d "32" /f
  2⤵
  PID:1888
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "IoQueueThreadIrp" /t REG_DWORD /d "32" /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "ExTryQueueWorkItem" /t REG_DWORD /d "32" /f
  2⤵
  PID:1036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "ExQueueWorkItem" /t REG_DWORD /d "32" /f
  2⤵
  PID:2040
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "IoEnqueueIrp" /t REG_DWORD /d "32" /f
  2⤵
  PID:4056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableVsyncLatencyUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:3420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "XMMIZeroingEnable" /t REG_DWORD /d "0" /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\KGroups\00" /f
  2⤵
  PID:752
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "ObUnsecureGlobalNames" /t REG_MULTI_SZ /d "netfxcustomperfcounters.1.0\0SharedPerfIPCBlock\0Cor_Private_IPCBlock\0Cor_Public_IPCBlock_" /f
  2⤵
  PID:4988
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "SeTokenSingletonAttributesConfig" /t REG_DWORD /d "3" /f
  2⤵
  PID:1520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "obcaseinsensitive" /t REG_DWORD /d "1" /f
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DpcTimeout" /t REG_DWORD /d "0" /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "IdealDpcRate" /t REG_DWORD /d "1" /f
  2⤵
  PID:2044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DpcWatchdogPeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:1652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "UnlimitDpcQueue" /t REG_DWORD /d "1" /f
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MitigationOptions" /t REG_BINARY /d "002222202220202220000000002000200000000000000000" /f
  2⤵
  PID:4368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MitigationAuditOptions" /t REG_BINARY /d "000000000000202200000000000000200000000000000000" /f
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "EAFModules" /t REG_SZ /d "" /f
  2⤵
  PID:3156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "PriorityControl" /t REG_DWORD /d "100" /f
  2⤵
  PID:1448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DisableOverlappedExecution" /t REG_DWORD /d "0" /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "TimeIncrement" /t REG_DWORD /d "2" /f
  2⤵
  PID:32
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "QuantumLength" /t REG_DWORD /d "15" /f
  2⤵
  PID:4100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
  2⤵
  PID:1916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d "1" /f
  2⤵
  PID:1964
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MinimumDpcRate" /t REG_DWORD /d "1" /f
  2⤵
  PID:3352
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "AdjustDpcThreshold" /t REG_DWORD /d "0" /f
  2⤵
  PID:1040
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "UseNormalStack" /t REG_DWORD /d "1" /f
  2⤵
  PID:3496
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "UseNewEaBuffering" /t REG_DWORD /d "1" /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "StackSubSystemStackSize" /t REG_DWORD /d "65536" /f
  2⤵
  PID:4616
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "SystemResponsivenessReserved" /t REG_DWORD /d "0" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "EnableUserModeCache" /t REG_DWORD /d "1" /f
  2⤵
  PID:4908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "EnableLowLatencyIo" /t REG_DWORD /d "1" /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "EnableFsCacheHost" /t REG_DWORD /d "1" /f
  2⤵
  PID:3292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DisableSystemPTEWriteBack" /t REG_DWORD /d "1" /f
  2⤵
  PID:2336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "KernelStackSize" /t REG_DWORD /d "8192" /f
  2⤵
  PID:3908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "PfnMaxLookahead" /t REG_DWORD /d "16" /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "LatencyMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:2292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "EnableLowMemoryKiller" /t REG_DWORD /d "1" /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "CpuRelaxedSpeculation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DisableDynamicTick" /t REG_DWORD /d "1" /f
  2⤵
  PID:1788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DynamicTick" /t REG_DWORD /d "0" /f
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "EnergyDriverPolicy" /t REG_DWORD /d "1" /f
  2⤵
  PID:3416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "EnergyDriverPolicyVideo" /t REG_DWORD /d "1" /f
  2⤵
  PID:4544
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "TimerBResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:4016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "TimerMinResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:3460
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "TimerReliability" /t REG_DWORD /d "1" /f
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "KernelIoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:4280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DisableLowQosTimerResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "SerializeTimerExpiration" /t REG_DWORD /d "2" /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "TimerCheckFlags" /t REG_DWORD /d "8" /f
  2⤵
  PID:3668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "SplitLargeCaches" /t REG_DWORD /d "1" /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "SchedulerAssistThreadFlagOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "EnablePerCpuClockTickScheduling" /t REG_DWORD /d "1" /f
  2⤵
  PID:4264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "CacheErrataOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:4296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "CacheAwareScheduling" /t REG_DWORD /d "5" /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "ForceApicPhysicalDestinationMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "TscInvariant" /t REG_DWORD /d "1" /f
  2⤵
  PID:1672
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "ForceClockSync" /t REG_DWORD /d "1" /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "TscSyncPolicy" /t REG_DWORD /d "2" /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "TscAdjustDisable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "ContextNoPatchMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f
  2⤵
  PID:1776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DebugPollInterval" /t REG_DWORD /d "1000" /f
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "RebalanceMinPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MaxDynamicTickDuration" /t REG_DWORD /d "10" /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MaximumDpcQueueDepth" /t REG_DWORD /d "1" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MaximumDpcRate" /t REG_DWORD /d "1" /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MaximumSharedReadyQueueSize" /t REG_DWORD /d "128" /f
  2⤵
  PID:1088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "BufferSize" /t REG_DWORD /d "32" /f
  2⤵
  PID:2088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "IoQueueWorkItem" /t REG_DWORD /d "32" /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "IoQueueWorkItemToNode" /t REG_DWORD /d "32" /f
  2⤵
  PID:4076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "IoQueueWorkItemEx" /t REG_DWORD /d "32" /f
  2⤵
  PID:2952
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "IoQueueThreadIrp" /t REG_DWORD /d "32" /f
  2⤵
  PID:3120
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "ExTryQueueWorkItem" /t REG_DWORD /d "32" /f
  2⤵
  PID:2056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "ExQueueWorkItem" /t REG_DWORD /d "32" /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "IoEnqueueIrp" /t REG_DWORD /d "32" /f
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DisableVsyncLatencyUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:872
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:236
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "XMMIZeroingEnable" /t REG_DWORD /d "0" /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v DpcWatchdogProfileOffset /t REG_DWORD /d 0 /f
  2⤵
  PID:3276
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v DpcTimeout /t REG_DWORD /d 0 /f
  2⤵
  PID:2492
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v IdealDpcRate /t REG_DWORD /d 1 /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v MaximumDpcQueueDepth /t REG_DWORD /d 1 /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v MinimumDpcRate /t REG_DWORD /d 1 /f
  2⤵
  PID:4112
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v DpcWatchdogPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v UnlimitDpcQueue /t REG_DWORD /d 1 /f
  2⤵
  PID:940
- C:\Windows\system32\timeout.exe
  timeout /T 2 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:4828
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= demand
  2⤵
  - Launches sc.exe
  PID:4704
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start= demand
  2⤵
  - Launches sc.exe
  PID:1596
- C:\Windows\system32\sc.exe
  sc config NcbService start= demand
  2⤵
  - Launches sc.exe
  PID:2196
- C:\Windows\system32\sc.exe
  sc config ndu start= demand
  2⤵
  - Launches sc.exe
  PID:4792
- C:\Windows\system32\sc.exe
  sc config Netman start= demand
  2⤵
  - Launches sc.exe
  PID:4268
- C:\Windows\system32\sc.exe
  sc config netprofm start= demand
  2⤵
  - Launches sc.exe
  PID:1068
- C:\Windows\system32\sc.exe
  sc config WwanSvc start= demand
  2⤵
  - Launches sc.exe
  PID:5000
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  - Launches sc.exe
  PID:3104
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  - Launches sc.exe
  PID:4116
- C:\Windows\system32\sc.exe
  sc config lmhosts start= auto
  2⤵
  - Launches sc.exe
  PID:1920
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= auto
  2⤵
  - Launches sc.exe
  PID:1064
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  - Launches sc.exe
  PID:2400
- C:\Windows\system32\sc.exe
  sc config RmSvc start= auto
  2⤵
  - Launches sc.exe
  PID:576
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= auto
  2⤵
  - Launches sc.exe
  PID:488
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:1572
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= auto
  2⤵
  - Launches sc.exe
  PID:1036
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Enable
  2⤵
  PID:3760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Enable
  2⤵
  PID:692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Enable
  2⤵
  PID:464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Enable
  2⤵
  PID:2428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "0" /f
  2⤵
  PID:2136
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
  2⤵
  PID:1528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "2" /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "2" /f
  2⤵
  PID:4988
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:2680
- C:\Windows\system32\net.exe
  net start DPS
  2⤵
  PID:2232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start DPS
    3⤵
    PID:1420
- C:\Windows\system32\net.exe
  net start nsi
  2⤵
  PID:2128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start nsi
    3⤵
    PID:232
- C:\Windows\system32\net.exe
  net start NlaSvc
  2⤵
  PID:1156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start NlaSvc
    3⤵
    PID:4844
- C:\Windows\system32\net.exe
  net start Dhcp
  2⤵
  PID:3784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dhcp
    3⤵
    PID:448
- C:\Windows\system32\net.exe
  net start Wcmsvc
  2⤵
  PID:1876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Wcmsvc
    3⤵
    PID:2380
- C:\Windows\system32\net.exe
  net start RmSvc
  2⤵
  PID:3596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start RmSvc
    3⤵
    PID:3456
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_networkadapter where index=0 call disable
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_networkadapter where index=1 call disable
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s NlaSvc
1⤵
- Modifies data under HKEY_USERS
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bpzljnzn.gpk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2324-0-0x00007FFB360B3000-0x00007FFB360B5000-memory.dmp

Filesize
8KB

Download
memory/2324-1-0x0000026C66B30000-0x0000026C66B52000-memory.dmp

Filesize
136KB

Download
memory/2324-10-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmp

Filesize
10.8MB

Download
memory/2324-11-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmp

Filesize
10.8MB

Download
memory/2324-12-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmp

Filesize
10.8MB

Download
memory/2324-15-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmp

Filesize
10.8MB

Download
memory/3912-16-0x0000025320500000-0x0000025320510000-memory.dmp

Filesize
64KB

Download
memory/3912-20-0x0000025320540000-0x0000025320550000-memory.dmp

Filesize
64KB

Download
memory/3912-24-0x0000025320A00000-0x0000025320A01000-memory.dmp

Filesize
4KB

Download