a570a7c27ab10595ae8d850ff72e02aa473a7f2b858603c963df513ebdf67227

Analysis

max time kernel
415s
max time network
427s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
25-05-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Azurite Setup 1.1.12.exe
Size

111.3MB
MD5

4848ad03ab3dd1c09aaf5ace18a55f36
SHA1

f8f65216cdff313730ce23cb98d3302aad8b403b
SHA256

a570a7c27ab10595ae8d850ff72e02aa473a7f2b858603c963df513ebdf67227
SHA512

6d926a9674e0ea3130323e725289ea54c31c9e2be4745a8f407d32fe91cac8ca7ffa97d0c107de3d293c8aa990e44f901e322e342eb01d3e7968b880b2d026c3
SSDEEP

3145728:5gFkGgcymcNLCSBsFkGNnSjejR0XL4pPV:KCLCSmZn+V09

Score

9^/10

discovery evasion execution ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

1328 bcdedit.exe
864 bcdedit.exe
2844 bcdedit.exe
3812 bcdedit.exe
4340 bcdedit.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

Azurite.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-21-3062789476-783164490-2318012559-1000\desktop.ini Azurite.exe

pid	process
1328	bcdedit.exe
864	bcdedit.exe
2844	bcdedit.exe
3812	bcdedit.exe
4340	bcdedit.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3062789476-783164490-2318012559-1000\desktop.ini	Azurite.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	reg.exe

Deletes itself 1 IoCs

Processes:

Azurite.exe

pid process

2392 Azurite.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2392	Azurite.exe

Drops file in Windows directory 3 IoCs

Processes:

Azurite.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\domgmt.20240426_215943_103.etl	Azurite.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20240426_150030_777.etl	Azurite.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20240426_150327_686.etl	Azurite.exe

Executes dropped EXE 5 IoCs

Processes:

Azurite.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exe

pid process

2392 Azurite.exe
1800 Azurite.exe
4004 Azurite.exe
4280 Azurite.exe
200 Azurite.exe

pid	process
2392	Azurite.exe
1800	Azurite.exe
4004	Azurite.exe
4280	Azurite.exe
200	Azurite.exe

Loads dropped DLL 22 IoCs

Processes:

Azurite Setup 1.1.12.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exe

pid	process
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2392	Azurite.exe
1800	Azurite.exe
1800	Azurite.exe
1800	Azurite.exe
4004	Azurite.exe
1800	Azurite.exe
4280	Azurite.exe
200	Azurite.exe
200	Azurite.exe
200	Azurite.exe
200	Azurite.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1448 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1448	powershell.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exevssvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\MinimumIdleTimeoutInMS	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\Attributes	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\PowerCycleCount	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport\InitialTimestamp	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\DiskId	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Address	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestamp	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Address	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Address	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Address	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001b4a55745f2b98f90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001b4a55740000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001b4a5574000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1b4a5574000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001b4a557400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\DefaultRequestFlags	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
240	reg.exe
4760	reg.exe
2332	reg.exe
3796	reg.exe
1820	reg.exe
1396	reg.exe
4936	reg.exe
1736	reg.exe
2084	reg.exe
4612	reg.exe
2312	reg.exe
3816	reg.exe
4596	reg.exe
2120	reg.exe
2864	reg.exe
1208	reg.exe
4972	reg.exe
2440	reg.exe
4024	reg.exe
480	reg.exe
968	reg.exe
3348	reg.exe
3928	reg.exe
788	reg.exe
1900	reg.exe
3892	reg.exe
4764	reg.exe
2604	reg.exe
3008	reg.exe
3376	reg.exe
2076	reg.exe
944	reg.exe
4244	reg.exe
3248	reg.exe
4760	reg.exe
1404	reg.exe
2144	reg.exe
3696	reg.exe
5068	reg.exe
4676	reg.exe
2144	reg.exe
1448	reg.exe
4036	reg.exe
4844	reg.exe
2884	reg.exe
2096	reg.exe
3380	reg.exe
4044	reg.exe
3504	reg.exe
3244	reg.exe
3560	reg.exe
1960	reg.exe
1736	reg.exe
2440	reg.exe
3480	reg.exe
420	reg.exe
4820	reg.exe
200	reg.exe
4836	reg.exe
1880	reg.exe
3756	reg.exe
416	reg.exe
1624	reg.exe
2184	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Azurite.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Azurite.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Azurite.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Azurite.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Azurite Setup 1.1.12.exeAzurite.exeAzurite.exeAzurite.exepowershell.exeAzurite.exe

pid	process
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2504	Azurite Setup 1.1.12.exe
2392	Azurite.exe
2392	Azurite.exe
2392	Azurite.exe
2392	Azurite.exe
4004	Azurite.exe
4004	Azurite.exe
4280	Azurite.exe
4280	Azurite.exe
1448	powershell.exe
1448	powershell.exe
200	Azurite.exe
200	Azurite.exe
200	Azurite.exe
200	Azurite.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Azurite Setup 1.1.12.exepowershell.exevssvc.exesrtasks.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeSecurityPrivilege	2504	Azurite Setup 1.1.12.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeBackupPrivilege	1668	srtasks.exe
Token: SeRestorePrivilege	1668	srtasks.exe
Token: SeSecurityPrivilege	1668	srtasks.exe
Token: SeTakeOwnershipPrivilege	1668	srtasks.exe
Token: SeBackupPrivilege	1668	srtasks.exe
Token: SeRestorePrivilege	1668	srtasks.exe
Token: SeSecurityPrivilege	1668	srtasks.exe
Token: SeTakeOwnershipPrivilege	1668	srtasks.exe
Token: SeIncreaseQuotaPrivilege	3508	WMIC.exe
Token: SeSecurityPrivilege	3508	WMIC.exe
Token: SeTakeOwnershipPrivilege	3508	WMIC.exe
Token: SeLoadDriverPrivilege	3508	WMIC.exe
Token: SeSystemProfilePrivilege	3508	WMIC.exe
Token: SeSystemtimePrivilege	3508	WMIC.exe
Token: SeProfSingleProcessPrivilege	3508	WMIC.exe
Token: SeIncBasePriorityPrivilege	3508	WMIC.exe
Token: SeCreatePagefilePrivilege	3508	WMIC.exe
Token: SeBackupPrivilege	3508	WMIC.exe
Token: SeRestorePrivilege	3508	WMIC.exe
Token: SeShutdownPrivilege	3508	WMIC.exe
Token: SeDebugPrivilege	3508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3508	WMIC.exe
Token: SeRemoteShutdownPrivilege	3508	WMIC.exe
Token: SeUndockPrivilege	3508	WMIC.exe
Token: SeManageVolumePrivilege	3508	WMIC.exe
Token: 33	3508	WMIC.exe
Token: 34	3508	WMIC.exe
Token: 35	3508	WMIC.exe
Token: 36	3508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3508	WMIC.exe
Token: SeSecurityPrivilege	3508	WMIC.exe
Token: SeTakeOwnershipPrivilege	3508	WMIC.exe
Token: SeLoadDriverPrivilege	3508	WMIC.exe
Token: SeSystemProfilePrivilege	3508	WMIC.exe
Token: SeSystemtimePrivilege	3508	WMIC.exe
Token: SeProfSingleProcessPrivilege	3508	WMIC.exe
Token: SeIncBasePriorityPrivilege	3508	WMIC.exe
Token: SeCreatePagefilePrivilege	3508	WMIC.exe
Token: SeBackupPrivilege	3508	WMIC.exe
Token: SeRestorePrivilege	3508	WMIC.exe
Token: SeShutdownPrivilege	3508	WMIC.exe
Token: SeDebugPrivilege	3508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3508	WMIC.exe
Token: SeRemoteShutdownPrivilege	3508	WMIC.exe
Token: SeUndockPrivilege	3508	WMIC.exe
Token: SeManageVolumePrivilege	3508	WMIC.exe
Token: 33	3508	WMIC.exe
Token: 34	3508	WMIC.exe
Token: 35	3508	WMIC.exe
Token: 36	3508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Azurite.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exe

pid process

2392 Azurite.exe
1800 Azurite.exe
4004 Azurite.exe
4280 Azurite.exe
200 Azurite.exe

pid	process
2392	Azurite.exe
1800	Azurite.exe
4004	Azurite.exe
4280	Azurite.exe
200	Azurite.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Azurite.exe

description	pid	process	target process
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 1800	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 4004	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 4004	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 4280	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 4280	2392	Azurite.exe	Azurite.exe
PID 2392 wrote to memory of 2460	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 2460	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 4208	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 4208	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 240	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 240	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 784	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 784	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 3232	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 3232	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 2108	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 2108	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 1132	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 1132	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 3308	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 3308	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 2548	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 2548	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 3000	2392	Azurite.exe	reg.exe
PID 2392 wrote to memory of 3000	2392	Azurite.exe	reg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Azurite Setup 1.1.12.exe
"C:\Users\Admin\AppData\Local\Temp\Azurite Setup 1.1.12.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe"
1⤵
- Drops desktop.ini file(s)
- Deletes itself
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe" --type=gpu-process --field-trial-handle=1572,13610510244591050683,10941352388437937473,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1580 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,13610510244591050683,10941352388437937473,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2036 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe" --type=renderer --field-trial-handle=1572,13610510244591050683,10941352388437937473,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\Azurite\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RmSvc
2⤵
PID:2460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RmSvc /v Start
2⤵
PID:4208

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RmSvc /v Start
2⤵
- Modifies registry key
PID:240

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\xinputhid\Parameters
2⤵
PID:784

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\WUDFRd\Parameters
2⤵
PID:3232

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\WpdUpFltr\Parameters
2⤵
PID:2108

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\vwififlt\Parameters
2⤵
PID:1132

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\vwififlt\Parameters /v DmaRemappingCompatible
2⤵
PID:3308

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\vdrvroot\Parameters
2⤵
PID:2548

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\vdrvroot\Parameters /v DmaRemappingCompatible
2⤵
PID:3000

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBXHCI\Parameters
2⤵
PID:4488

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBXHCI\Parameters /v DmaRemappingCompatible
2⤵
- Modifies registry key
PID:4596

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBXHCI\Parameters /v DmaRemappingCompatible
2⤵
PID:2592

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBHUB3\Parameters
2⤵
PID:3424

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBHUB3\Parameters /v DmaRemappingCompatible
2⤵
- Modifies registry key
PID:4820

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\umbus\Parameters
2⤵
PID:2828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\umbus\Parameters /v DmaRemappingCompatible
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\storahci\Parameters
2⤵
PID:4468

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\storahci\Parameters /v DmaRemappingCompatible
2⤵
PID:3816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\storahci\Parameters /v DmaRemappingCompatible
2⤵
PID:1464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\stornvme\Parameters
2⤵
PID:2952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\stornvme\Parameters /v DmaRemappingCompatible
2⤵
PID:4184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\stornvme\Parameters /v DmaRemappingCompatible
2⤵
PID:1392

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\NdisVirtualBus\Parameters
2⤵
PID:2024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\NdisVirtualBus\Parameters /v DmaRemappingCompatible
2⤵
PID:4612

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\msisadrv\Parameters
2⤵
PID:2504

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\msisadrv\Parameters /v DmaRemappingCompatible
2⤵
PID:2976

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\mouhid\Parameters
2⤵
PID:1544

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\mouhid\Parameters /v DmaRemappingCompatible
2⤵
- Modifies registry key
PID:200

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\monitor\Parameters
2⤵
PID:1288

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\monitor\Parameters /v DmaRemappingCompatible
2⤵
- Modifies registry key
PID:3928

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\intelpep\Parameters
2⤵
PID:3504

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\intelpep\Parameters /v DmaRemappingCompatible
2⤵
- Modifies registry key
PID:3244

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\CompositeBus\Parameters
2⤵
PID:2088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\CompositeBus\Parameters /v DmaRemappingCompatible
2⤵
PID:4604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\BasicRender\Parameters
2⤵
PID:4792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\BasicRender\Parameters /v DmaRemappingCompatible
2⤵
PID:2428

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\BasicDisplay\Parameters
2⤵
PID:780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\BasicDisplay\Parameters /v DmaRemappingCompatible
2⤵
PID:552

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\acpipagr\Parameters
2⤵
PID:2248

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\acpi\Parameters
2⤵
PID:3116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\acpi\Parameters /v DmaRemappingCompatible
2⤵
PID:788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\partmgr\Parameters
2⤵
- Modifies registry key
PID:1404

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\partmgr\Parameters /v DmaRemappingCompatible
2⤵
- Modifies registry key
PID:4936

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\xinputhid\Parameters
2⤵
PID:1668

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\pci\Parameters
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\pci\Parameters /v DmaRemappingCompatible
2⤵
PID:3584

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\pci\Parameters /v DmaRemappingCompatible
2⤵
- Modifies registry key
PID:1736

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\HDAudBus\Parameters
2⤵
PID:608

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\HDAudBus\Parameters /v DmaRemappingCompatible
2⤵
PID:752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\NdisWan\Parameters
2⤵
PID:4704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\NdisWan\Parameters /v DmaRemappingCompatible
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\kbhid\Parameters
2⤵
PID:3024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\kbdclass\Parameters
2⤵
PID:1416

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\kbdclass\Parameters /v DmaRemappingCompatible
2⤵
- Modifies registry key
PID:2120

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\intellppm\Parameters
2⤵
- Modifies registry key
PID:3560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
2⤵
- Modifies registry key
PID:1960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency
2⤵
PID:920

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency
2⤵
PID:1540

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting"
2⤵
PID:3576

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v DontSendAdditionalData
2⤵
PID:2504

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting"
2⤵
PID:700

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v LoggingDisabled
2⤵
PID:2888

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent"
2⤵
PID:1972

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultOverrideBehavior
2⤵
PID:2948

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent"
2⤵
PID:1028

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultConsent
2⤵
PID:1348

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultConsent
2⤵
PID:968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main
2⤵
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\FindMyDevice
2⤵
PID:4972

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\FindMyDevice
2⤵
PID:3612

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo
2⤵
PID:908

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo /v Enabled
2⤵
PID:240

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo /v Enabled
2⤵
PID:2404

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance"
2⤵
PID:552

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v MaintenanceDisabled
2⤵
PID:3356

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v MaintenanceDisabled
2⤵
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
2⤵
PID:1980

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\GraphicsDrivers
2⤵
PID:5068

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\GraphicsDrivers /v HwSchedMode
2⤵
PID:2076

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications
2⤵
PID:896

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications /v GlobalUserDisabled
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Search
2⤵
PID:3296

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Search /v BackgroundAppGlobalToggle
2⤵
- Modifies registry key
PID:1736

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack
2⤵
- Modifies registry key
PID:2864

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v ShowedToastAtLevel
2⤵
PID:1652

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v ShowedToastAtLevel
2⤵
PID:436

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
2⤵
PID:2884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v AllowTelemetry
2⤵
PID:4760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
2⤵
PID:1520

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v MaxTelemetryAllowed
2⤵
PID:4988

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
- Modifies registry key
PID:2084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLowDiskSpaceChecks
2⤵
PID:2692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLowDiskSpaceChecks
2⤵
- Modifies registry key
PID:2144

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:4828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v LinkResolveIgnoreLinkInfo
2⤵
PID:3576

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v LinkResolveIgnoreLinkInfo
2⤵
PID:2760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:1460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveSearch
2⤵
PID:200

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveSearch
2⤵
PID:3236

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:4224

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveTrack
2⤵
PID:2808

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveTrack
2⤵
- Modifies registry key
PID:3696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:1896

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInternetOpenWith
2⤵
PID:2460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInternetOpenWith
2⤵
PID:1204

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
- Modifies registry key
PID:3380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInstrumentation
2⤵
PID:780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications
2⤵
PID:1756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications /v NoTileApplicationNotification
2⤵
PID:2080

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications /v NoTileApplicationNotification
2⤵
PID:2108

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\Power\PowerThrottling
2⤵
- Modifies registry key
PID:788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
2⤵
PID:1980

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced /v Start_TrackProgs
2⤵
PID:3624

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced /v Start_TrackProgs
2⤵
PID:2076

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\International\User Profile"
2⤵
PID:3540

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut
2⤵
PID:3584

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\Personalization
2⤵
- Modifies registry key
PID:1900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AppCompat
2⤵
PID:2396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AppCompat
2⤵
PID:2828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Speech
2⤵
PID:1652

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Policies\Microsoft\Windows\Explorer
2⤵
PID:2324

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Policies\Microsoft\Windows\Explorer /v NoRemoteDestinations
2⤵
PID:3816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy
2⤵
PID:2872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy /v TailoredExperiencesWithDiagnosticDataEnabled
2⤵
PID:1520

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy /v TailoredExperiencesWithDiagnosticDataEnabled
2⤵
- Modifies registry key
PID:3892

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Search
2⤵
PID:5056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\InputPersonalization
2⤵
PID:1052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\InputPersonalization
2⤵
- Modifies registry key
PID:1208

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform"
2⤵
PID:248

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket
2⤵
PID:3108

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket
2⤵
PID:3048

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo
2⤵
PID:4472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\DataCollection
2⤵
PID:1812

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\DataCollection /v LimitEnhancedDiagnosticDataWindowsAnalytics
2⤵
PID:3080

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\Maps
2⤵
PID:3504

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\Maps
2⤵
PID:2088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\TabletPC
2⤵
PID:2412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\TabletPC /v PreventHandwritingDataSharing
2⤵
- Modifies registry key
PID:4972

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\TabletPC /v PreventHandwritingDataSharing
2⤵
PID:3760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AppCompat
2⤵
PID:4012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\Windows Search"
2⤵
PID:2072

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v ConnectedSearchUseWeb
2⤵
PID:2768

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\Windows Search"
2⤵
PID:2280

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v DisableWebSearch
2⤵
PID:1628

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
2⤵
PID:1764

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v DoNotShowFeedbackNotifications
2⤵
PID:3116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\PriorityControl
2⤵
- Modifies registry key
PID:1624

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\PriorityControl /v Win32PrioritySeparation
2⤵
PID:4588

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\PriorityControl /v Win32PrioritySeparation
2⤵
PID:872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AppPrivacy
2⤵
PID:2876

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\kernel"
2⤵
PID:3584

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v DisableExceptionChainValidation
2⤵
PID:1900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\kernel"
2⤵
PID:796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v KernelSEHOPEnabled
2⤵
PID:4008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile"
2⤵
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1652

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex
2⤵
PID:2608

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex
2⤵
PID:1816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile"
2⤵
PID:2872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness
2⤵
PID:1520

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness
2⤵
PID:4480

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile"
2⤵
PID:4892

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NoLazyMode
2⤵
PID:1968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games"
2⤵
PID:4688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v NoLazyMode
2⤵
PID:2504

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Internet Explorer\SQM"
2⤵
PID:3304

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:3732

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride
2⤵
PID:1972

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride
2⤵
PID:3236

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:2112

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask
2⤵
PID:3244

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask
2⤵
PID:4920

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:1868

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnableCfg
2⤵
PID:4100

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v DisablePageCombining
2⤵
PID:1904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnablePrefetcher
2⤵
PID:4796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:4500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2280

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnableSuperfetch
2⤵
PID:3684

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\FTH
2⤵
PID:2532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\FTH /v Enabled
2⤵
- Modifies registry key
PID:5068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\FTH /v Enabled
2⤵
PID:1088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1624

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AJRouter
2⤵
- Modifies registry key
PID:2076

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AJRouter /v Start
2⤵
PID:5008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AJRouter /v Start
2⤵
- Modifies registry key
PID:2184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ALG
2⤵
PID:5060

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ALG /v Start
2⤵
PID:1900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ALG /v Start
2⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppIDSvc
2⤵
PID:2540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppIDSvc /v Start
2⤵
- Modifies registry key
PID:4764

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppIDSvc /v Start
2⤵
- Modifies registry key
PID:4760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppMgmt
2⤵
PID:4484

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppMgmt /v Start
2⤵
PID:3476

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppMgmt /v Start
2⤵
PID:1424

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppReadiness
2⤵
PID:2688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4480

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppReadiness /v Start
2⤵
PID:1620

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppReadiness /v Start
2⤵
PID:1792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppVClient
2⤵
PID:3904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppVClient /v Start
2⤵
PID:4616

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppVClient /v Start
2⤵
PID:2332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\CertPropSvc
2⤵
- Modifies registry key
PID:4836

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\CertPropSvc /v Start
2⤵
PID:4472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\CertPropSvc /v Start
2⤵
PID:556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\defragsvc
2⤵
PID:4700

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\defragsvc /v Start
2⤵
PID:3396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\defragsvc /v Start
2⤵
PID:2088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service
2⤵
- Modifies registry key
PID:1880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service /v Start
2⤵
PID:4376

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service /v Start
2⤵
PID:4740

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagsvc
2⤵
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagsvc /v Start
2⤵
PID:392

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagsvc /v Start
2⤵
PID:3332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\embeddedmode
2⤵
PID:2136

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\embeddedmode /v Start
2⤵
PID:788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\embeddedmode /v Start
2⤵
PID:5040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\EntAppSvc
2⤵
PID:388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\EntAppSvc /v Start
2⤵
PID:2264

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\EntAppSvc /v Start
2⤵
PID:3540

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache
2⤵
PID:3152

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache /v Start
2⤵
PID:1364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache /v Start
2⤵
- Modifies registry key
PID:2604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache3.0.0.0
2⤵
PID:4692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache3.0.0.0 /v Start
2⤵
- Modifies registry key
PID:4676

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache3.0.0.0 /v Start
2⤵
PID:3796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\GraphicsPerfSvc
2⤵
PID:4764

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\GraphicsPerfSvc /v Start
2⤵
PID:3912

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\GraphicsPerfSvc /v Start
2⤵
PID:660

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\LanmanServer
2⤵
PID:664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\LanmanServer /v Start
2⤵
PID:1508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\LanmanServer /v Start
2⤵
- Modifies registry key
PID:2144

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\NaturalAuthentication
2⤵
PID:1052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\NaturalAuthentication /v Start
2⤵
PID:3868

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\NaturalAuthentication /v Start
2⤵
PID:712

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2pimsvc
2⤵
PID:4616

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2pimsvc /v Start
2⤵
- Modifies registry key
PID:2332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2pimsvc /v Start
2⤵
PID:1712

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2psvc
2⤵
- Modifies registry key
PID:4044

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2psvc /v Start
2⤵
PID:4264

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2psvc /v Start
2⤵
- Modifies registry key
PID:1448

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\PcaSvc
2⤵
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4920

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\PcaSvc /v Start
2⤵
PID:864

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\PcaSvc /v Start
2⤵
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\QWAVE
2⤵
PID:4116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\QWAVE /v Start
2⤵
PID:908

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\QWAVE /v Start
2⤵
PID:4256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteAccess
2⤵
PID:2036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:392

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteAccess /v Start
2⤵
- Modifies registry key
PID:944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteAccess /v Start
2⤵
PID:3356

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteRegistry
2⤵
PID:3464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteRegistry /v Start
2⤵
PID:2548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5068

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteRegistry /v Start
2⤵
PID:388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RpcLocator
2⤵
PID:4180

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RpcLocator /v Start
2⤵
PID:2360

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RpcLocator /v Start
2⤵
PID:232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SCardSvr
2⤵
PID:1364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SCardSvr /v Start
2⤵
PID:2604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SCardSvr /v Start
2⤵
PID:4632

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ScDeviceEnum
2⤵
PID:4468

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ScDeviceEnum /v Start
2⤵
PID:1652

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ScDeviceEnum /v Start
2⤵
- Modifies registry key
PID:3008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SEMgrSvc
2⤵
- Modifies registry key
PID:4760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SEMgrSvc /v Start
2⤵
PID:1048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4484

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SEMgrSvc /v Start
2⤵
PID:1520

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorDataService
2⤵
PID:1032

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorDataService /v Start
2⤵
- Modifies registry key
PID:2440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorDataService /v Start
2⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorService
2⤵
PID:3792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorService /v Start
2⤵
PID:2760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorService /v Start
2⤵
PID:2188

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensrSvc
2⤵
PID:4576

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensrSvc /v Start
2⤵
PID:1972

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensrSvc /v Start
2⤵
PID:4752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SessionEnv
2⤵
- Modifies registry key
PID:3504

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SessionEnv /v Start
2⤵
- Modifies registry key
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SessionEnv /v Start
2⤵
PID:1336

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SgrmBroker
2⤵
PID:2088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start
2⤵
PID:2752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start
2⤵
- Modifies registry key
PID:4844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SharedAccess
2⤵
- Modifies registry key
PID:3756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SharedAccess /v Start
2⤵
PID:4060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:908

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SharedAccess /v Start
2⤵
PID:784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4256

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ShellHWDetection
2⤵
PID:2100

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ShellHWDetection /v Start
2⤵
PID:1628

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ShellHWDetection /v Start
2⤵
PID:868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3356

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\tzautoupdate
2⤵
PID:5020

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\tzautoupdate /v Start
2⤵
PID:3308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\tzautoupdate /v Start
2⤵
PID:4488

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control
2⤵
PID:4596

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control /v WaitToKillServiceTimeout
2⤵
PID:3372

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control /v WaitToKillServiceTimeout
2⤵
PID:2592

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\Desktop"
2⤵
PID:3584

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\Desktop" /v AutoEndTasks
2⤵
PID:4704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\Desktop" /v AutoEndTasks
2⤵
PID:2536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\DWM
2⤵
- Modifies registry key
PID:3796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\DWM /v Composition
2⤵
PID:3012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\DWM /v Composition
2⤵
PID:2348

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games"
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive"
2⤵
PID:756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games"
2⤵
PID:2688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only"
2⤵
PID:1508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2144

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only"
2⤵
PID:4136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1620

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\mouclass\Parameters
2⤵
- Modifies registry key
PID:2440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\kbdclass\Parameters
2⤵
PID:1792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\kbdclass\Parameters /v KeyboardDataQueueSize
2⤵
PID:1156

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\kbdclass\Parameters /v KeyboardDataQueueSize
2⤵
- Modifies registry key
PID:3480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\Psched
2⤵
PID:2188

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\Tcpip\QoS
2⤵
PID:3732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1712

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient"
2⤵
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'Before Azurite Optimization' -RestorePointType 'MODIFY_SETTINGS'""
2⤵
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'Before Azurite Optimization' -RestorePointType 'MODIFY_SETTINGS'"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\RmSvc /v Start /t REG_DWORD /d 3 /f
2⤵
- Modifies registry key
PID:4024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\xinputhid\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:416

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\WUDFRd\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\WpdUpFltr\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:2884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\vwififlt\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:3816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\vdrvroot\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:1652

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\USBXHCI\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:4644

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\USBHUB3\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:3476

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\umbus\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:2692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\storahci\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:4184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\stornvme\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:1032

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\NdisVirtualBus\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:3408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\msisadrv\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:1052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\mouhid\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:3792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\monitor\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:2052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\intelpep\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:3716

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\CompositeBus\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:2856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\BasicRender\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:1712

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\BasicDisplay\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:4460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\acpipagr\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\acpi\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:2700

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\partmgr\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:1820

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\xinputhid\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:2532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\pci\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:1852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\HDAudBus\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:2664

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\NdisWan\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:3264

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\kbhid\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:3396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\kbdclass\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:4196

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\intellppm\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:1428

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
2⤵
PID:2828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v DontSendAdditionalData /t REG_DWORD /d 1 /f
2⤵
PID:3512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v LoggingDisabled /t REG_DWORD /d 1 /f
2⤵
PID:2128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultOverrideBehavior /t REG_DWORD /d 1 /f
2⤵
PID:2552

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultConsent /t REG_DWORD /d 0 /f
2⤵
PID:4900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main /v AllowPrelaunch /t REG_DWORD /d 0 /f
2⤵
PID:660

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\FindMyDevice /v AllowFindMyDevice /t REG_DWORD /d 0 /f
2⤵
PID:2084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\FindMyDevice /v LocationSyncEnabled /t REG_DWORD /d 0 /f
2⤵
PID:756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo /v Enabled /t REG_DWORD /d 0 /f
2⤵
PID:5012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v MaintenanceDisabled /t REG_DWORD /d 1 /f
2⤵
PID:1508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v Enabled /t REG_DWORD /d 0 /f
2⤵
PID:4052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control\GraphicsDrivers /v HwSchedMode /t REG_DWORD /d 2 /f
2⤵
PID:4512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications /v GlobalUserDisabled /t REG_DWORD /d 1 /f
2⤵
PID:4580

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Search /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f
2⤵
PID:2976

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v ShowedToastAtLevel /t REG_DWORD /d 1 /f
2⤵
PID:716

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v AllowTelemetry /t REG_DWORD /d 0 /f
2⤵
PID:4472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v MaxTelemetryAllowed /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:480

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLowDiskSpaceChecks /t REG_DWORD /d 1 /f
2⤵
PID:4224

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v LinkResolveIgnoreLinkInfo /t REG_DWORD /d 1 /f
2⤵
PID:4604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveSearch /t REG_DWORD /d 1 /f
2⤵
PID:1984

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveTrack /t REG_DWORD /d 1 /f
2⤵
PID:3332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInternetOpenWith /t REG_DWORD /d 1 /f
2⤵
PID:980

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInstrumentation /t REG_DWORD /d 1 /f
2⤵
PID:1272

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications /v NoTileApplicationNotification /t REG_DWORD /d 1 /f
2⤵
PID:2116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control\Power\PowerThrottling /v PowerThrottlingOff /t REG_DWORD /d 1 /f
2⤵
PID:4056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced /v Start_TrackProgs /t REG_DWORD /d 0 /f
2⤵
PID:3264

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
2⤵
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\Personalization /v NoLockScreenCamera /t REG_DWORD /d 1 /f
2⤵
PID:3696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AppCompat /v DisableInventory /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:3348

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AppCompat /v DisableUAR /t REG_DWORD /d 1 /f
2⤵
PID:2512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Speech /v AllowSpeechModelUpdate /t REG_DWORD /d 0 /f
2⤵
PID:1756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Policies\Microsoft\Windows\Explorer /v NoRemoteDestinations /t REG_DWORD /d 1 /f
2⤵
PID:3760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy /v TailoredExperiencesWithDiagnosticDataEnabled /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:420

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Search /v BingSearchEnabled /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:2884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\InputPersonalization /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f
2⤵
PID:2552

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\InputPersonalization /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
2⤵
PID:1816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
2⤵
PID:2120

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
2⤵
PID:740

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\DataCollection /v LimitEnhancedDiagnosticDataWindowsAnalytics /t REG_DWORD /d 0 /f
2⤵
PID:4184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\Maps /v AutoDownloadAndUpdateMapData /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:4612

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\Maps /v AllowUntriggeredNetworkTrafficOnSettingsPage /t REG_DWORD /d 0 /f
2⤵
PID:1392

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\TabletPC /v PreventHandwritingDataSharing /t REG_DWORD /d 1 /f
2⤵
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AppCompat /v AITEnable /t REG_DWORD /d 0 /f
2⤵
PID:1792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v ConnectedSearchUseWeb /t REG_DWORD /d 0 /f
2⤵
PID:1460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v DisableWebSearch /t REG_DWORD /d 1 /f
2⤵
PID:2976

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:4244

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control\PriorityControl /v Win32PrioritySeparation /t REG_DWORD /d 38 /f
2⤵
PID:4928

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AppPrivacy /v LetAppsRunInBackground /t REG_DWORD /d 2 /f
2⤵
PID:1028

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v DisableExceptionChainValidation /t REG_DWORD /d 1 /f
2⤵
PID:4792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v KernelSEHOPEnabled /t REG_DWORD /d 0 /f
2⤵
PID:1120

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 10 /f
2⤵
PID:844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 10 /f
2⤵
PID:2572

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NoLazyMode /t REG_DWORD /d 1 /f
2⤵
PID:2532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v NoLazyMode /t REG_DWORD /d 1 /f
2⤵
PID:3988

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Internet Explorer\SQM" /v DisableCustomerImprovementProgram /t REG_DWORD /d 1 /f
2⤵
PID:1088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
2⤵
PID:2088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
2⤵
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnableCfg /t REG_DWORD /d 0 /f
2⤵
PID:3696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v DisablePageCombining /t REG_DWORD /d 1 /f
2⤵
PID:1352

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnablePrefetcher /t REG_DWORD /d 0 /f
2⤵
PID:4796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnableSuperfetch /t REG_DWORD /d 0 /f
2⤵
PID:4704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\FTH /v Enabled /t REG_DWORD /d 0 /f
2⤵
PID:1632

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AJRouter /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4764

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\ALG /v Start /t REG_DWORD /d 4 /f
2⤵
PID:1464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AppIDSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2552

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AppMgmt /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AppReadiness /v Start /t REG_DWORD /d 3 /f
2⤵
- Modifies registry key
PID:2312

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AppVClient /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\CertPropSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2092

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\defragsvc /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:3376

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service /v Start /t REG_DWORD /d 4 /f
2⤵
PID:3888

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\diagsvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\embeddedmode /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4648

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\EntAppSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2888

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\FontCache /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2292

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\FontCache3.0.0.0 /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2188

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\GraphicsPerfSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4916

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\LanmanServer /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\NaturalAuthentication /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:3248

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\p2pimsvc /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:2096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\p2psvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4148

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\PcaSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4588

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\QWAVE /v Start /t REG_DWORD /d 4 /f
2⤵
PID:1788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\RemoteAccess /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4036

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\RemoteRegistry /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\RpcLocator /v Start /t REG_DWORD /d 4 /f
2⤵
PID:1476

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SCardSvr /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\ScDeviceEnum /v Start /t REG_DWORD /d 4 /f
2⤵
PID:232

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SEMgrSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1352

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SensorDataService /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2036

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SensorService /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SensrSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:1720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1632

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SessionEnv /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4764

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /t REG_DWORD /d 4 /f
2⤵
PID:3012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SharedAccess /v Start /t REG_DWORD /d 4 /f
2⤵
PID:3560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\ShellHWDetection /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2352

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\tzautoupdate /v Start /t REG_DWORD /d 4 /f
2⤵
PID:3744

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control /v WaitToKillServiceTimeout /t REG_SZ /d 2000 /f
2⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
2⤵
PID:4828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\DWM /v Composition /t REG_DWORD /d 0 /f
2⤵
PID:920

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d True /f
2⤵
PID:3808

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d False /f
2⤵
PID:4788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\mouclass\Parameters /v MouseDataQueueSize /t REG_DWORD /d 50 /f
2⤵
PID:3904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\kbdclass\Parameters /v KeyboardDataQueueSize /t REG_DWORD /d 50 /f
2⤵
PID:1544

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\Psched /v TimerResolution /t REG_DWORD /d 1 /f
2⤵
PID:2856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\Tcpip\QoS /v "Do not use NLA" /t REG_DWORD /d 1 /f
2⤵
PID:3484

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
2⤵
PID:1712

C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick yes
2⤵
- Modifies boot configuration data using bcdedit
PID:1328

C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformclock >nul 2>nul
2⤵
- Modifies boot configuration data using bcdedit
PID:864

C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick Yes
2⤵
- Modifies boot configuration data using bcdedit
PID:2844

C:\Windows\system32\bcdedit.exe
bcdedit /set hypervisorlaunchtype off
2⤵
- Modifies boot configuration data using bcdedit
PID:3812

C:\Windows\system32\bcdedit.exe
bcdedit /set bootmenupolicy Legacy
2⤵
- Modifies boot configuration data using bcdedit
PID:4340

C:\Windows\system32\cmd.exe
cmd /C C:\Users\Admin\AppData\Local\Temp\59301783.bat
2⤵
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /format:value
3⤵
PID:1448

C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /format:value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "5217772" /f
3⤵
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum" /s /f "StorPort"| findstr "StorPort"
3⤵
PID:3696

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum" /s /f "StorPort"
4⤵
- Checks SCSI registry key(s)
PID:3680

C:\Windows\system32\findstr.exe
findstr "StorPort"
4⤵
PID:2828

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
3⤵
PID:4692

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
3⤵
PID:2108

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
3⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic PATH Win32_PnPEntity GET DeviceID | findstr "USB\VID_"
3⤵
PID:1756

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_PnPEntity GET DeviceID
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\findstr.exe
findstr "USB\VID_"
4⤵
PID:4200

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:4676

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f
3⤵
PID:2316

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "EnableSelectiveSuspend" /t REG_DWORD /d "0" /f
3⤵
PID:3796

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f
3⤵
PID:420

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:3816

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "SelectiveSuspendOn" /t REG_DWORD /d "0" /f
3⤵
PID:2608

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "D3ColdSupported" /t REG_DWORD /d "0" /f
3⤵
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
3⤵
PID:4476

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_networkadapter get GUID
4⤵
PID:4900

C:\Windows\system32\findstr.exe
findstr "{"
4⤵
PID:1416

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0389DF46-D495-4DB7-AF8D-FBD3D0A863AB}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
3⤵
PID:4988

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0389DF46-D495-4DB7-AF8D-FBD3D0A863AB}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
3⤵
PID:2552

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0389DF46-D495-4DB7-AF8D-FBD3D0A863AB}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
3⤵
PID:4644

C:\Windows\system32\netsh.exe
netsh int tcp set heuristics disabled
3⤵
PID:1100

C:\Windows\system32\netsh.exe
netsh int tcp set supplemental Internet congestionprovider=ctcp
3⤵
PID:4480

C:\Windows\system32\netsh.exe
netsh int tcp set global timestamps=disabled
3⤵
PID:2248

C:\Windows\system32\netsh.exe
netsh int tcp set global rsc=disabled
3⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s /f DmaRemappingCompatible | find /i "Services\"
3⤵
PID:4136

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s /f DmaRemappingCompatible
4⤵
- Maps connected drives based on registry
PID:1536

C:\Windows\system32\find.exe
find /i "Services\"
4⤵
PID:3376

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:1896

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpipagr\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:968

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BasicDisplay\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:1336

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BasicRender\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:3380

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:864

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:2080

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intellppm\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:844

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelpep\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:3384

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:4232

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbhid\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:2096

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\monitor\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:3772

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:4932

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:5068

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:1716

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:3820

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partmgr\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:4340

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:4588

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\storahci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:1624

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stornvme\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:4056

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\umbus\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:2780

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb4HostRouter\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:4920

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:1088

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:2756

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:2088

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwififlt\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:3976

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:1476

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WUDFRd\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:2412

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xinputhid\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:3424

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe" --type=gpu-process --field-trial-handle=1572,13610510244591050683,10941352388437937473,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3240 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:200

C:\Windows\system32\powercfg.exe
powercfg /import C:\Users\Admin\AppData\Local\Temp\80034925.pow 33333333-3333-3333-3333-333333333333
2⤵
PID:1204

C:\Windows\system32\powercfg.exe
powercfg /setactive 33333333-3333-3333-3333-333333333333
2⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
1⤵
PID:4844

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Azurite\D3DCompiler_47.dll
Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\chrome_100_percent.pak
Filesize
138KB

MD5
03aaa4f8525ba4b3e30d2a02cb40ab7a

SHA1
dd9ae5f8b56d317c71d0a0a738f5d4a320a02085

SHA256
c3f131faeefab4f506bf61c4b7752a6481f320429731d758ef5413a2f71441f7

SHA512
c89a1b89b669602ba7c8bf2c004755cac7320189603fecb4f4c5cf7a36db72da651c7b613607146f0c6da9eec5df412c7fba75475352192351c02aebdaa7d9a9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\chrome_200_percent.pak
Filesize
202KB

MD5
7d4f330a5443eadf32e041c63e7e70ad

SHA1
26ce6fb98c0f28f508d7b88cf94a442b81e80c88

SHA256
b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d

SHA512
f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\ffmpeg.dll
Filesize
2.6MB

MD5
af6d3e25c626882b0c6be5a1e662a88d

SHA1
a00b6b71d94ed200ffa44d730efe48cd63148153

SHA256
3615f62c7495308038c2659c266fb144c813fbd44a535111ce10ae47b0996ada

SHA512
54da008ccaf5646479f16a302e0e8d0346ef750ea39565b5b453f205e49ec10f91eb43fc1e826d278519ac48ead943925906e5015b817d235307a6c5a716274e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\icudtl.dat
Filesize
9.9MB

MD5
80a7528515595d8b0bf99a477a7eff0d

SHA1
fde9a195fc5a6a23ec82b8594f958cfcf3159437

SHA256
6e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff617a1d42348736b

SHA512
c8df47a00f7b2472d272a26b3600b7e82be7ca22526d6453901ff06370b3abb66328655868db9d4e0a11dcba02e3788cc4883261fd9a7d3e521577dde1b88459

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\locales\en-US.pak
Filesize
88KB

MD5
af5c77e1d94dc4f772cb641bd310bc87

SHA1
0ceeb456e2601e22d873250bcc713bab573f2247

SHA256
781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

SHA512
8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\resources.pak
Filesize
4.9MB

MD5
d22a5445f36b9ffaafc235e56ae90456

SHA1
c6acefdf31e440c71ff830eb9150efe69775ec63

SHA256
7b94d96c56df3635cd72eac4f970fe3b2df97749427a4e7986612d86aae4b6a8

SHA512
dec6c599ed1045c962a4bd52904eace69c0d323ee68e4ed67b56185ea36712fa4ccf138e7f9552f6483c9c62d5d63e98cbd61b1a0c84a4e6f5f625bc58463673

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\resources\app-update.yml
Filesize
131B

MD5
a454c573d0c72b4122d074a4048f8a22

SHA1
ce06018b60adf940f42401c8e311fc5d27619d90

SHA256
d82261f6161e06ac8b48bfd619acc1a0eaefc63270d4e4a1155a255d2b0e6eff

SHA512
56a06b34547a19be4d569c780770eb43d19f5a2ef55c62f98a00d372e7c02865265ccb35a1c5f5a82b48c279516c55c07b0b4b6ea2d858be7f131391dd76d495

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\resources\app.asar
Filesize
4.9MB

MD5
f0283a70e4e77c72999016a2cc033172

SHA1
48f2207f9363faf63d3a6f2ac16ed2cf8022f8ab

SHA256
e0f0acdba0caa085dac0c2432a97670f88c4deaeded715e2e9452b03400d592f

SHA512
5f73110a134f02e71c84d6d8da4c9aa5c572adec5bbe40255b30b9a37d2818064261c8a57b76c8da7efbfbced061066d53437a66197c9caaa0dcd90c1b60bddc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\swiftshader\libEGL.dll
Filesize
448KB

MD5
08d67d57bdb9efa1c6652bab4f68a7fb

SHA1
9b8f156a069f4f40e0fdded92aa1c6f3606101b3

SHA256
33adfdf885f4a64e5792d591bb35ddf5f8b15feeacbcf1539c50a614d168abf5

SHA512
b9972e81eb5a7b4dba758686d6d2962639ad0e7b0c3c6df328f0eb5d1e4b06f4fcf0135c01908bf2d583be4606cdd028485977853c62285e216f07e695e601e9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\swiftshader\libGLESv2.dll
Filesize
3.1MB

MD5
9089a52d103849175b1ed9b5a469a782

SHA1
90eb9c2536f801920551c4b2c70fd318223308d1

SHA256
47092d9bfd855fcfb613741580ac742ce521567509929daab5574a71f83a2801

SHA512
553d85f8ffbccd10c324d58d1b3f5479f039cb50cfda49a891f35c13462a59160c29c96a43aa48725c6e5fa6773f84fa684f9e4add4d250fd14c09d451ff19fa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\v8_context_snapshot.bin
Filesize
161KB

MD5
e082a9ffd52e98b00e501e934a7e9d8d

SHA1
21746f70466633f881581d9bee651619d8b4b109

SHA256
08058ff9086099965041d0e85e8847704c624baf689ec3bb6a041e7776332520

SHA512
5b6a6f58a9037c260b1b76bb7605746c251641e20153b5e75d99f4b4afb1367a7a44ba255034c9090e7c48748402a6e0bad13da2c4c3e8b7b88bd1d80898fd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ccc040d-e8d3-405a-9b80-ec8621d1df03.tmp.pow
Filesize
24KB

MD5
f81191582f273b07e50ea9ac1818dfdd

SHA1
e9d762bed0cfe1219854c2b1d5948f050458d426

SHA256
15828be7fca345b210fe3cde9eded3a2e12238580335e927952f85bae480db28

SHA512
954eb770bb4425cea2e24b56ced7acd70d5df7b219d5597ee101630f071fbc9a976b30e9ef8bcc375f2306dea7ad441dd5f4e15f450ddd313e6561963ac68271

Download Submit
C:\Users\Admin\AppData\Local\Temp\59301783.bat
Filesize
2KB

MD5
b96aac30465cba9e3cc089c3ef5c7df6

SHA1
6858ce127c45a1eddb6ccbffcb290b6c650016a8

SHA256
1afa7f9a0ea79a193e10a096f5eafffb687e07ecbe5cabdc716b700ff6c97b63

SHA512
56d7d549394cbcfe4edefa914e99c457346737b96e63659271e95ac73b75a00fb9bb6352f335c79ea0c220583dc65c49249e236b646458397108fd2c36eb1202

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xrksmrca.wlj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6FA3.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6FA3.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6FA3.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6FA3.tmp\WinShell.dll
Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6FA3.tmp\nsDialogs.dll
Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6FA3.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6FA3.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\Network Persistent State
Filesize
183B

MD5
529f66a7edc36ae980c6f714dcbf5942

SHA1
88dee8c1e4ef93cd45372461b091d0f89687bb11

SHA256
18bd7a16f541035715e427465e0be82e3622ef0f51360e6ef084da2535a4f7cc

SHA512
c9ea591230f4b48e98539eb473f80c171420bf578df806114752e333ea08b82c02c1b7059e83a35ff4b01400912d39704e32895716616db1a440d6e8a64652e5

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\Network Persistent State~RFe5bf029.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\Preferences
Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\Preferences~RFe5b076f.TMP
Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\logs\main.log
Filesize
4KB

MD5
475c945ecc824dd8987f7d0245b94a54

SHA1
b287f3f6ac32001dd0182cf5f589b65770843a7a

SHA256
aaac88c3844f39796d2669e29cd446a22041c5e239a58bf681842af45c3c6ef6

SHA512
7a14b469a112ed83d7bb8802cd0c43340fb2e7e13a2411dc2b46aebca9e9203cae3bc0ce85db3cd6e9c4f02a90d325e1b14066c25f6df21821848160df9770bb

Download Submit
memory/1448-677-0x000002B027300000-0x000002B027322000-memory.dmp

Filesize
136KB

Download
memory/1800-239-0x00007FFDF99C0000-0x00007FFDF99C1000-memory.dmp

Filesize
4KB

Download