2d2731bd9d060d0bf2fd52ac5462162001373af531230170ec8fab91d6c8ccc5

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
22	discord.com
24	discord.com
25	discord.com
28	discord.com

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4572	sc.exe
4940	sc.exe
4244	sc.exe
3524	sc.exe
448	sc.exe
1788	sc.exe
1556	sc.exe
3932	sc.exe
2176	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4624	timeout.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
2172	WMIC.exe
3640	WMIC.exe
832	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2544	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{CC5F2BD6-4DD0-4D63-8503-4F24EA73C19A}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{5AB4AA60-1D0F-4B20-B07C-95FBA9B25E37}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{9CAA5519-DED4-4E4F-AA84-EE6F2D5F4308}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{D3302EE2-85F4-4637-BC52-E083E2159C82}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
4272	reg.exe
3524	reg.exe
2312	reg.exe
4188	reg.exe
2416	reg.exe
4460	reg.exe
5032	reg.exe
2744	reg.exe
228	reg.exe
4064	reg.exe
1632	reg.exe
2544	reg.exe
4716	reg.exe
1028	reg.exe
4064	reg.exe
2780	reg.exe
2284	reg.exe
3788	reg.exe
1396	reg.exe
1964	reg.exe
2176	reg.exe
4572	reg.exe
1344	reg.exe
4708	reg.exe
4528	reg.exe
2844	reg.exe
1076	reg.exe
836	reg.exe
4216	reg.exe
4820	reg.exe
1188	reg.exe
2620	reg.exe
2416	reg.exe
4404	reg.exe
1188	reg.exe
4068	reg.exe
4380	reg.exe
3892	reg.exe
808	reg.exe
4916	reg.exe
3712	reg.exe
4264	reg.exe
3908	reg.exe
4820	reg.exe
4824	reg.exe
4008	reg.exe
384	reg.exe
2844	reg.exe
3860	reg.exe
2284	reg.exe
2160	reg.exe
2136	reg.exe
2568	reg.exe
2864	reg.exe
3200	reg.exe
3860	reg.exe
4800	reg.exe
1188	reg.exe
3780	reg.exe
3672	reg.exe
2904	reg.exe
3672	reg.exe
3372	reg.exe
1512	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3744	WMIC.exe
Token: SeSecurityPrivilege	3744	WMIC.exe
Token: SeTakeOwnershipPrivilege	3744	WMIC.exe
Token: SeLoadDriverPrivilege	3744	WMIC.exe
Token: SeSystemProfilePrivilege	3744	WMIC.exe
Token: SeSystemtimePrivilege	3744	WMIC.exe
Token: SeProfSingleProcessPrivilege	3744	WMIC.exe
Token: SeIncBasePriorityPrivilege	3744	WMIC.exe
Token: SeCreatePagefilePrivilege	3744	WMIC.exe
Token: SeBackupPrivilege	3744	WMIC.exe
Token: SeRestorePrivilege	3744	WMIC.exe
Token: SeShutdownPrivilege	3744	WMIC.exe
Token: SeDebugPrivilege	3744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3744	WMIC.exe
Token: SeRemoteShutdownPrivilege	3744	WMIC.exe
Token: SeUndockPrivilege	3744	WMIC.exe
Token: SeManageVolumePrivilege	3744	WMIC.exe
Token: 33	3744	WMIC.exe
Token: 34	3744	WMIC.exe
Token: 35	3744	WMIC.exe
Token: 36	3744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3744	WMIC.exe
Token: SeSecurityPrivilege	3744	WMIC.exe
Token: SeTakeOwnershipPrivilege	3744	WMIC.exe
Token: SeLoadDriverPrivilege	3744	WMIC.exe
Token: SeSystemProfilePrivilege	3744	WMIC.exe
Token: SeSystemtimePrivilege	3744	WMIC.exe
Token: SeProfSingleProcessPrivilege	3744	WMIC.exe
Token: SeIncBasePriorityPrivilege	3744	WMIC.exe
Token: SeCreatePagefilePrivilege	3744	WMIC.exe
Token: SeBackupPrivilege	3744	WMIC.exe
Token: SeRestorePrivilege	3744	WMIC.exe
Token: SeShutdownPrivilege	3744	WMIC.exe
Token: SeDebugPrivilege	3744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3744	WMIC.exe
Token: SeRemoteShutdownPrivilege	3744	WMIC.exe
Token: SeUndockPrivilege	3744	WMIC.exe
Token: SeManageVolumePrivilege	3744	WMIC.exe
Token: 33	3744	WMIC.exe
Token: 34	3744	WMIC.exe
Token: 35	3744	WMIC.exe
Token: 36	3744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4884	WMIC.exe
Token: SeSecurityPrivilege	4884	WMIC.exe
Token: SeTakeOwnershipPrivilege	4884	WMIC.exe
Token: SeLoadDriverPrivilege	4884	WMIC.exe
Token: SeSystemProfilePrivilege	4884	WMIC.exe
Token: SeSystemtimePrivilege	4884	WMIC.exe
Token: SeProfSingleProcessPrivilege	4884	WMIC.exe
Token: SeIncBasePriorityPrivilege	4884	WMIC.exe
Token: SeCreatePagefilePrivilege	4884	WMIC.exe
Token: SeBackupPrivilege	4884	WMIC.exe
Token: SeRestorePrivilege	4884	WMIC.exe
Token: SeShutdownPrivilege	4884	WMIC.exe
Token: SeDebugPrivilege	4884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4884	WMIC.exe
Token: SeRemoteShutdownPrivilege	4884	WMIC.exe
Token: SeUndockPrivilege	4884	WMIC.exe
Token: SeManageVolumePrivilege	4884	WMIC.exe
Token: 33	4884	WMIC.exe
Token: 34	4884	WMIC.exe
Token: 35	4884	WMIC.exe
Token: 36	4884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4884	WMIC.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4160	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe
4292	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4024	StartMenuExperienceHost.exe
4924	StartMenuExperienceHost.exe
4208	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 1812	4844	cmd.exe	92
PID 4844 wrote to memory of 1812	4844	cmd.exe	92
PID 4844 wrote to memory of 2128	4844	cmd.exe	94
PID 4844 wrote to memory of 2128	4844	cmd.exe	94
PID 4844 wrote to memory of 228	4844	cmd.exe	98
PID 4844 wrote to memory of 228	4844	cmd.exe	98
PID 4844 wrote to memory of 508	4844	cmd.exe	101
PID 4844 wrote to memory of 508	4844	cmd.exe	101
PID 508 wrote to memory of 3744	508	cmd.exe	102
PID 508 wrote to memory of 3744	508	cmd.exe	102
PID 4844 wrote to memory of 1368	4844	cmd.exe	104
PID 4844 wrote to memory of 1368	4844	cmd.exe	104
PID 1368 wrote to memory of 4884	1368	cmd.exe	105
PID 1368 wrote to memory of 4884	1368	cmd.exe	105
PID 1368 wrote to memory of 1516	1368	cmd.exe	106
PID 1368 wrote to memory of 1516	1368	cmd.exe	106
PID 4844 wrote to memory of 2984	4844	cmd.exe	107
PID 4844 wrote to memory of 2984	4844	cmd.exe	107
PID 4844 wrote to memory of 2032	4844	cmd.exe	108
PID 4844 wrote to memory of 2032	4844	cmd.exe	108
PID 4844 wrote to memory of 3952	4844	cmd.exe	109
PID 4844 wrote to memory of 3952	4844	cmd.exe	109
PID 4844 wrote to memory of 3916	4844	cmd.exe	110
PID 4844 wrote to memory of 3916	4844	cmd.exe	110
PID 4844 wrote to memory of 1396	4844	cmd.exe	111
PID 4844 wrote to memory of 1396	4844	cmd.exe	111
PID 4844 wrote to memory of 832	4844	cmd.exe	112
PID 4844 wrote to memory of 832	4844	cmd.exe	112
PID 4844 wrote to memory of 2976	4844	cmd.exe	113
PID 4844 wrote to memory of 2976	4844	cmd.exe	113
PID 4844 wrote to memory of 2172	4844	cmd.exe	143
PID 4844 wrote to memory of 2172	4844	cmd.exe	143
PID 4844 wrote to memory of 3152	4844	cmd.exe	115
PID 4844 wrote to memory of 3152	4844	cmd.exe	115
PID 756 wrote to memory of 2228	756	msedge.exe	117
PID 756 wrote to memory of 2228	756	msedge.exe	117
PID 4844 wrote to memory of 3640	4844	cmd.exe	118
PID 4844 wrote to memory of 3640	4844	cmd.exe	118
PID 4844 wrote to memory of 548	4844	cmd.exe	119
PID 4844 wrote to memory of 548	4844	cmd.exe	119
PID 4844 wrote to memory of 1184	4844	cmd.exe	120
PID 4844 wrote to memory of 1184	4844	cmd.exe	120
PID 1184 wrote to memory of 2160	1184	cmd.exe	121
PID 1184 wrote to memory of 2160	1184	cmd.exe	121
PID 1184 wrote to memory of 3552	1184	cmd.exe	123
PID 1184 wrote to memory of 3552	1184	cmd.exe	123
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122
PID 756 wrote to memory of 1812	756	msedge.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\uzuitweaker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/B9kAE7bP9F
  2⤵
  PID:1812
- C:\Windows\system32\mode.com
  mode con lines=20 cols=125
  2⤵
  PID:2128
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get localdatetime /format:list
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get localdatetime /format:list
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_systemenclosure get ChassisTypes| findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_systemenclosure get ChassisTypes
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" call "resources\smartctl.exe" C: -i "
  2⤵
  PID:2984
- C:\Windows\system32\findstr.exe
  findstr /c:"Rotation Rate:"
  2⤵
  PID:2032
- C:\Windows\system32\findstr.exe
  findstr /c:"Solid State Device"
  2⤵
  PID:3952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" call "resources\smartctl.exe" C: -i "
  2⤵
  PID:3916
- C:\Windows\system32\findstr.exe
  findstr /c:"NVMe Version:"
  2⤵
  PID:1396
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_VideoController get Name
  2⤵
  - Detects videocard installed
  PID:832
- C:\Windows\system32\findstr.exe
  findstr "NVIDIA"
  2⤵
  PID:2976
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_VideoController get Name
  2⤵
  - Detects videocard installed
  PID:2172
- C:\Windows\system32\findstr.exe
  findstr "AMD ATI"
  2⤵
  PID:3152
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_VideoController get Name
  2⤵
  - Detects videocard installed
  PID:3640
- C:\Windows\system32\findstr.exe
  findstr "Intel"
  2⤵
  PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic CPU get NumberOfCores| findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CPU get NumberOfCores
    3⤵
    PID:2160
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic CPU get NumberOfLogicalProcessors| findstr [0-9]
  2⤵
  PID:4676
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CPU get NumberOfLogicalProcessors
    3⤵
    PID:5036
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:752
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path WIN32_NetworkAdapter where NetConnectionID="Wi-Fi" get NetConnectionStatus
  2⤵
  PID:2544
- C:\Windows\system32\findstr.exe
  findstr "2"
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes" /ve
  2⤵
  PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize
  2⤵
  PID:2468
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  PID:3520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    PID:2356
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ver "
  2⤵
  PID:4068
- C:\Windows\system32\find.exe
  find "10."
  2⤵
  PID:3672
- C:\Windows\system32\mode.com
  mode 128,33
  2⤵
  PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:1492
- C:\Windows\System32\mode.com
  mode con lines=35 cols=140
  2⤵
  PID:1256
- C:\Windows\System32\timeout.exe
  timeout /t 3 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4624
- C:\Windows\System32\mode.com
  mode con lines=35 cols=140
  2⤵
  PID:4916
- C:\Windows\System32\mode.com
  mode con lines=35 cols=140
  2⤵
  PID:4396
- C:\Windows\System32\wscript.exe
  WSCRIPT "C:\Users\Admin\AppData\Local\Temp\~tmpmsgbox.vbs"
  2⤵
  PID:3088
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:1928
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:4336
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:4992
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\NVAPI" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:3952
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\NVTweak" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:540
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4188
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
  2⤵
  PID:4332
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "RMPcieLinkSpeed" /t REG_DWORD /d "4" /f
  2⤵
  PID:3156
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:832
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:5048
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f
  2⤵
  PID:2992
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f
  2⤵
  PID:1172
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f
  2⤵
  PID:3852
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:3152
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f
  2⤵
  PID:1796
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:3500
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:932
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "QosManagesIdleProcessors" /t REG_DWORD /d "0" /f
  2⤵
  PID:2196
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DisableVsyncLatencyUpdate" /t REG_DWORD /d "0" /f
  2⤵
  PID:4404
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DisableSensorWatchdog" /t REG_DWORD /d "1" /f
  2⤵
  PID:640
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:4624
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InterruptSteeringDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4916
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LowLatencyScalingPercentage" /t REG_DWORD /d "100" /f
  2⤵
  PID:1512
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:1564
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:5076
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2544
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4796
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:4192
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:4160
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "0" /f
  2⤵
  PID:5012
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:4904
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:1744
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:1940
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:3204
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:4492
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f
  2⤵
  PID:5096
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:2248
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f
  2⤵
  PID:5016
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:2996
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f
  2⤵
  PID:2588
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:2456
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:3536
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f
  2⤵
  PID:3088
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:1928
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f
  2⤵
  PID:4336
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:2204
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:2868
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f
  2⤵
  PID:4992
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f
  2⤵
  PID:3952
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:1396
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
  2⤵
  PID:4612
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
  2⤵
  PID:2356
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:3520
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "Acceleration.Level" /t REG_DWORD /d "0" /f
  2⤵
  PID:4068
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DesktopStereoShortcuts" /t REG_DWORD /d "0" /f
  2⤵
  PID:5048
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "FeatureControl" /t REG_DWORD /d "4" /f
  2⤵
  PID:2992
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "NVDeviceSupportKFilter" /t REG_DWORD /d "0" /f
  2⤵
  PID:1172
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmCacheLoc" /t REG_DWORD /d "0" /f
  2⤵
  PID:3496
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmDisableInst2Sys" /t REG_DWORD /d "0" /f
  2⤵
  PID:2844
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmFbsrPagedDMA" /t REG_DWORD /d "1" /f
  2⤵
  PID:4472
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMGpuId" /t REG_DWORD /d "256" /f
  2⤵
  PID:4276
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmProfilingAdminOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:4636
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "TCCSupported" /t REG_DWORD /d "0" /f
  2⤵
  PID:2196
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "TrackResetEngine" /t REG_DWORD /d "0" /f
  2⤵
  PID:4404
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "UseBestResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:640
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "ValidateBlitSubRects" /t REG_DWORD /d "0" /f
  2⤵
  PID:4624
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnablePreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:4916
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "PlatformSupportMiracast" /t REG_DWORD /d "0" /f
  2⤵
  PID:1512
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption" /t REG_DWORD /d "1" /f
  2⤵
  PID:1564
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption" /t REG_DWORD /d "1" /f
  2⤵
  PID:5076
- C:\Windows\System32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2544
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4160
- C:\Windows\System32\gpupdate.exe
  gpupdate /force
  2⤵
  PID:3116
- C:\Windows\System32\mode.com
  mode con lines=35 cols=140
  2⤵
  PID:2760
- C:\Windows\System32\mode.com
  mode con lines=35 cols=140
  2⤵
  PID:4144
- C:\Windows\System32\wscript.exe
  WSCRIPT "C:\Users\Admin\AppData\Local\Temp\~tmpmsgbox.vbs"
  2⤵
  PID:5096
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\System\GameConfigStore" /F /V "GameDVR_Enabled" /T REG_DWORD /d 0
  2⤵
  PID:1440
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\System\GameConfigStore" /F /V "GameDVR_FSEBehaviorMode" /T REG_DWORD /d 2
  2⤵
  PID:3280
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\System\GameConfigStore" /F /V "GameDVR_HonorUserFSEBehaviorMode" /T REG_DWORD /d 0
  2⤵
  PID:1916
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\System\GameConfigStore" /F /V "GameDVR_DXGIHonorFSEWindowsCompatible" /T REG_DWORD /d 0
  2⤵
  PID:3140
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\System\GameConfigStore" /F /V "GameDVR_EFSEFeatureFlags" /T REG_DWORD /d 0
  2⤵
  PID:1852
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "AllowCommercialDataPipeline" /T REG_DWORD /d 0
  2⤵
  PID:4204
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "AllowDesktopAnalyticsProcessing" /T REG_DWORD /d 0
  2⤵
  PID:4368
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "AllowDeviceNameInTelemetry" /T REG_DWORD /d 0
  2⤵
  PID:3748
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "AllowTelemetry" /T REG_DWORD /d 0
  2⤵
  PID:4680
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "AllowUpdateComplianceProcessing" /T REG_DWORD /d 0
  2⤵
  PID:3564
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "AllowWUfBCloudProcessing" /T REG_DWORD /d 0
  2⤵
  PID:1984
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "DisableEnterpriseAuthProxy" /T REG_DWORD /d 1
  2⤵
  PID:2044
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "MicrosoftEdgeDataOptIn" /T REG_DWORD /d 0
  2⤵
  PID:3588
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "DisableTelemetryOptInChangeNotification" /T REG_DWORD /d 1
  2⤵
  PID:2160
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "DisableTelemetryOptInSettingsUx" /T REG_DWORD /d 1
  2⤵
  PID:2396
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "DisableDiagnosticDataViewer" /T REG_DWORD /d 1
  2⤵
  PID:4912
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "EnableConfigFlighting" /T REG_DWORD /d 0
  2⤵
  PID:2204
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "DoNotShowFeedbackNotifications" /T REG_DWORD /d 1
  2⤵
  PID:1564
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /F /V "LimitEnhancedDiagnosticDataWindowsAnalytics" /T REG_DWORD /d 0
  2⤵
  PID:4128
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /F /V "EnableSmartScreen" /T REG_DWORD /d 0
  2⤵
  PID:1852
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\FileHistory" /F /V "Disabled" /T REG_DWORD /d 1
  2⤵
  PID:4076
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice" /F /V "AllowFindMyDevice" /T REG_DWORD /d 0
  2⤵
  PID:2196
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Settings\FindMyDevice" /F /V "LocationSyncEnabled" /T REG_DWORD /d 0
  2⤵
  PID:2556
- C:\Windows\System32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /F /V "Value" /T REG_SZ /d "Deny"
  2⤵
  PID:5032
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /F /V "DisableLocation" /T REG_DWORD /d 1
  2⤵
  PID:4492
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /F /V "DisableLocationScripting" /T REG_DWORD /d 1
  2⤵
  PID:4388
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /F /V "DisableSensors" /T REG_DWORD /d 1
  2⤵
  PID:3200
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /F /V "DisableWindowsLocationProvider" /T REG_DWORD /d 1
  2⤵
  PID:2396
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps" /F /V "AutoDownloadAndUpdateMapData" /T REG_DWORD /d 0
  2⤵
  PID:1744
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps" /F /V "AllowUntriggeredNetworkTrafficOnSettingsPage" /T REG_DWORD /d 0
  2⤵
  PID:1932
- C:\Windows\System32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /F /V "Value" /T REG_SZ /d "Deny"
  2⤵
  PID:3912
- C:\Windows\System32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /F /V "Value" /T REG_SZ /d "Deny"
  2⤵
  PID:1440
- C:\Windows\System32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /F /V "Value" /T REG_SZ /d "Deny"
  2⤵
  PID:3808
- C:\Windows\System32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /F /V "Value" /T REG_SZ /d "Deny"
  2⤵
  PID:2196
- C:\Windows\System32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /F /V "Value" /T REG_SZ /d "Deny"
  2⤵
  PID:4144
- C:\Windows\System32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /F /V "Value" /T REG_SZ /d "Deny"
  2⤵
  PID:3852
- C:\Windows\System32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /F /V "Value" /T REG_SZ /d "Deny"
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" /F /V "AllowMessageSync" /T REG_DWORD /d 0
  2⤵
  PID:3980
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /F /V "NoActiveHelp" /T REG_DWORD /d 1
  2⤵
  PID:1960
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /F /V "DisableWebSearch" /T REG_DWORD /d 1
  2⤵
  PID:1640
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /F /V "DisableRemovableDriveIndexing" /T REG_DWORD /d 1
  2⤵
  PID:4540
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /F /V "AllowCortanaAboveLock" /T REG_DWORD /d 0
  2⤵
  PID:3436
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /F /V "AllowCloudSearch" /T REG_DWORD /d 0
  2⤵
  PID:1508
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /F /V "AllowSearchToUseLocation" /T REG_DWORD /d 0
  2⤵
  PID:2548
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /F /V "ConnectedSearchUseWeb" /T REG_DWORD /d 0
  2⤵
  PID:1216
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /F /V "SafeSearchMode" /T REG_DWORD /d 0
  2⤵
  PID:1032
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /F /V "IsDeviceSearchHistoryEnabled" /T REG_DWORD /d 0
  2⤵
  PID:1804
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Speech" /F /V "AllowSpeechModelUpdate" /T REG_DWORD /d 0
  2⤵
  PID:4164
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableApplicationSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:1984
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableAppSyncSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:1972
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableWebBrowserSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:3980
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableDesktopThemeSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:1852
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:2212
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableSyncOnPaidNetwork" /T REG_DWORD /d 1
  2⤵
  PID:5104
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableWindowsSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:1640
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableCredentialsSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:2536
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisablePersonalizationSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:3936
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /F /V "DisableStartLayoutSettingSync" /T REG_DWORD /d 2
  2⤵
  PID:1972
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:4124
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:2600
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:636
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:1188
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:4024
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:3932
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:664
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:840
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /f /d 0
  2⤵
  PID:4100
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /f /d 0
  2⤵
  PID:2176
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /f /d 0
  2⤵
  PID:4348
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /f /d 0
  2⤵
  PID:3776
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /f /d 0
  2⤵
  PID:3564
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /f /d 0
  2⤵
  PID:3356
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC" /F /V "TurnOffTouchInput" /T REG_DWORD /d 1
  2⤵
  PID:4076
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC" /F /V "TurnOffPanning" /T REG_DWORD /d 1
  2⤵
  PID:3200
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput" /F /V "AllowLinguisticDataCollection" /T REG_DWORD /d 0
  2⤵
  PID:4800
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" /F /V "AllowWindowsInkWorkspace" /T REG_DWORD /d 0
  2⤵
  PID:4856
- C:\Windows\System32\sc.exe
  SC CONFIG Winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:4572
- C:\Windows\System32\sc.exe
  SC CONFIG TrustedInstaller start= demand
  2⤵
  - Launches sc.exe
  PID:3524
- C:\Windows\System32\sc.exe
  SC CONFIG AppInfo start= demand
  2⤵
  - Launches sc.exe
  PID:4940
- C:\Windows\System32\sc.exe
  SC CONFIG DeviceInstall start= demand
  2⤵
  - Launches sc.exe
  PID:448
- C:\Windows\System32\sc.exe
  SC START Winmgmt
  2⤵
  - Launches sc.exe
  PID:1788
- C:\Windows\System32\sc.exe
  SC START TrustedInstaller
  2⤵
  - Launches sc.exe
  PID:1556
- C:\Windows\System32\sc.exe
  SC START AppInfo
  2⤵
  - Launches sc.exe
  PID:4244
- C:\Windows\System32\sc.exe
  SC START DeviceInstall
  2⤵
  - Launches sc.exe
  PID:3932
- C:\Windows\System32\sc.exe
  SC START Dhcp
  2⤵
  - Launches sc.exe
  PID:2176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic process where name="javaw.exe" CALL setpriority "realtime"
  2⤵
  PID:3920
- C:\Windows\System32\Wbem\WMIC.exe
  wmic process where name="svchost.exe" CALL setpriority "realtime"
  2⤵
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell "get-process svchost | % { $_.ProcessorAffinity=2 }"
  2⤵
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell "get-process svchost | foreach { $_.ProcessorAffinity=2 }"
  2⤵
  PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell "get-process winlogon | % { $_.ProcessorAffinity=2 }"
  2⤵
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell "get-process winlogon | foreach { $_.ProcessorAffinity=2 }"
  2⤵
  PID:3748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell "get-process dwm | % { $_.ProcessorAffinity=2 }"
  2⤵
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell "get-process dwm | foreach { $_.ProcessorAffinity=2 }"
  2⤵
  PID:416
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d "16" /f
  2⤵
  PID:2212
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxConnectionsPerServer" /t REG_DWORD /d "16" /f
  2⤵
  PID:4160
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableTaskOffload" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:4492
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableConnectionRateLimiting" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:4092
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableDCA" /t REG_DWORD /d "" /f
  2⤵
  PID:3664
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUBHDetect" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:4232
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUDiscovery" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:1524
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableRSS" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:2804
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableTCPA" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:448
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableWsd" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:4124
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "IRPStackSize" /t REG_DWORD /d "0000001e" /f
  2⤵
  PID:4456
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxFreeTcbs" /t REG_DWORD /d "65535" /f
  2⤵
  PID:392
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxHashTableSize" /t REG_DWORD /d "00010000" /f
  2⤵
  PID:2336
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f
  2⤵
  PID:1496
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SizReqBuf" /t REG_DWORD /d "51319" /f
  2⤵
  PID:3484
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SynAttackProtect" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:3816
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:508
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:1076
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDataRetransmissions" /t REG_DWORD /d "4" /f
  2⤵
  PID:4840
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpAckFrequency" /t REG_DWORD /d "00000005" /f
  2⤵
  PID:4176
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "StrictTimeWaitSeqCheck" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:628
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableIPSourceRouting" /t REG_DWORD /d "00000008" /f
  2⤵
  PID:1632
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "KeepAliveInterval" /t REG_DWORD /d "000003e8" /f
  2⤵
  PID:4708
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpCreateAndConnectTcbRateLimitDepth" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:1856
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TCPInitalRtt" /t REG_DWORD /d "00046325" /f
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "00000002" /f
  2⤵
  PID:3748
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpNumConnections" /t REG_DWORD /d "de7a" /f
  2⤵
  PID:2400
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "00000042d" /f
  2⤵
  PID:2312
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpFinWait2Delay" /t REG_DWORD /d "00000042d" /f
  2⤵
  PID:3664
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TCPDelAckTicks" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:2588
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "IPAutoconfigurationEnabled" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:3536
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "38" /f
  2⤵
  PID:2616
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "239" /f
  2⤵
  PID:4280
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "240" /f
  2⤵
  PID:3808
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "1740" /f
  2⤵
  PID:4372
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "1741" /f
  2⤵
  PID:2336
- C:\Windows\System32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d "10" /f
  2⤵
  PID:2996
- C:\Windows\System32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d "10" /f
  2⤵
  PID:4968
- C:\Windows\System32\reg.exe
  Reg.exe add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d "10" /f
  2⤵
  PID:2780
- C:\Windows\System32\reg.exe
  Reg.exe add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d "10" /f
  2⤵
  PID:3484
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d "10" /f
  2⤵
  PID:3924
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d "10" /f
  2⤵
  PID:508
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "ffffffff" /f
  2⤵
  PID:932
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f
  2⤵
  PID:2784
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "IoPageLockLimit" /t REG_DWORD /d "000f0000" /f
  2⤵
  PID:3860
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "CacheHashTableBucketSize" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:1344
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "CacheHashTableSize" /t REG_DWORD /d "00000180" /f
  2⤵
  PID:4952
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "MaxCacheEntryTtlLimit" /t REG_DWORD /d "0000FA00" /f
  2⤵
  PID:3116
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "MaxSOACacheEntryTtlLimit" /t REG_DWORD /d "0000012D" /f
  2⤵
  PID:1668
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "NegativeCacheTime" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:2720
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "NetFailureCacheTime" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:4448
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "NegativeSOACacheTime" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:4380
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:1564
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\OCMsetup" /f
  2⤵
  PID:808
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security" /v "SecureDSCommunication" /t REG_DWORD /d "0" /f
  2⤵
  PID:4188
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\setup" /f
  2⤵
  PID:228
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Setup" /f
  2⤵
  PID:3156
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "IRPStackSize" /t REG_DWORD /d "80" /f
  2⤵
  PID:4176
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "170372" /f
  2⤵
  PID:3972
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4916
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched" /v "MaxOutstandingSends" /t REG_DWORD /d "1073741824" /f
  2⤵
  PID:3776
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched" /v "NonBestEffortLimit" /t REG_DWORD /d "0" /f
  2⤵
  PID:1856
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched" /v "TimerResolution" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping" /v "ServiceTypeNonConforming" /t REG_DWORD /d "7" /f
  2⤵
  PID:4216
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping" /v "ServiceTypeBestEffort" /t REG_DWORD /d "7" /f
  2⤵
  PID:4616
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping" /v "ServiceTypeControlledLoad" /t REG_DWORD /d "7" /f
  2⤵
  PID:2312
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping" /v "ServiceTypeGuaranteed" /t REG_DWORD /d "7" /f
  2⤵
  PID:5096
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping" /v "ServiceTypeNetworkControl" /t REG_DWORD /d "7" /f
  2⤵
  PID:3536
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping" /v "ServiceTypeQualitative" /t REG_DWORD /d "7" /f
  2⤵
  PID:2616
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "IRPStackSize" /t REG_DWORD /d "50" /f
  2⤵
  PID:3808
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "170372" /f
  2⤵
  PID:1428
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\BITS" /v "EnableBITSMaxBandwidth" /t REG_DWORD /d "0" /f
  2⤵
  PID:4832
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\NetCache" /v "PeerCachingLatencyThreshold" /t REG_DWORD /d "268435456" /f
  2⤵
  PID:3200
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Service" /v "Enable" /t REG_DWORD /d "1" /f
  2⤵
  PID:4736
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "UpdateSecurityLevel" /t REG_DWORD /d "598" /f
  2⤵
  PID:3484
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "RegistrationTtl" /t REG_DWORD /d "1117034098" /f
  2⤵
  PID:3924
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Network Connections" /v "NC_AllowNetBridge_NLA" /t REG_DWORD /d "0" /f
  2⤵
  PID:3932
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Network Connections" /v "NC_AllowAdvancedTCPIPConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:2784
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SizReqBuf" /t REG_DWORD /d "53819" /f
  2⤵
  PID:1344
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SynAttackProtect" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:2416
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:1668
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:1184
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDataRetransmissions" /t REG_DWORD /d "23" /f
  2⤵
  PID:3948
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpAckFrequency" /t REG_DWORD /d "00000008" /f
  2⤵
  PID:2340
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "StrictTimeWaitSeqCheck" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:736
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableIPSourceRouting" /t REG_DWORD /d "00000008" /f
  2⤵
  PID:3000
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "KeepAliveInterval" /t REG_DWORD /d "000003e8" /f
  2⤵
  PID:3140
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpCreateAndConnectTcbRateLimitDepth" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:3788
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TCPInitalRtt" /t REG_DWORD /d "00049697" /f
  2⤵
  PID:4372
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "00000002" /f
  2⤵
  PID:3416
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpNumConnections" /t REG_DWORD /d "de7a" /f
  2⤵
  PID:3200
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "00000076d" /f
  2⤵
  PID:3520
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpFinWait2Delay" /t REG_DWORD /d "00000076d" /f
  2⤵
  PID:3980
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TCPDelAckTicks" /t REG_DWORD /d "00000001" /f
  2⤵
  PID:3932
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "IPAutoconfigurationEnabled" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:4368
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "33" /f
  2⤵
  PID:3008
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MTU" /t REG_DWORD /d "420" /f
  2⤵
  PID:4172
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer /v Start /t REG_DWORD /d 4 /f
  2⤵
  - Modifies registry key
  PID:4068
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client /v OptInOrOutPreference /t REG_DWORD /d 0 /f
  2⤵
  PID:2748
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Direct3D /v DisableVidMemVBs /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3860
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Direct3D /v FlipNoVsync /t REG_DWORD /d 1 /f
  2⤵
  PID:3952
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Direct3DDrivers /v SoftwareOnly /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2176
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Direct3D /v MMX Fast Path /t REG_DWORD /d 1 /f
  2⤵
  PID:2544
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrLevel /t REG_DWORD /d 0 /f
  2⤵
  PID:4188
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDebugMode /t REG_DWORD /d 0 /f
  2⤵
  PID:4952
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v EnergyEstimationEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3156
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v CsEnabled /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1632
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PerfCalculateActualUtilization /t REG_DWORD /d 0 /f
  2⤵
  PID:2808
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v SleepReliabilityDetailedDiagnostics /t REG_DWORD /d 0 /f
  2⤵
  PID:1356
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v EventProcessorEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v QosManagesIdleProcessors /t REG_DWORD /d 0 /f
  2⤵
  PID:2312
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v DisableVsyncLatencyUpdate /t REG_DWORD /d 1 /f
  2⤵
  PID:3536
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v DisableSensorWatchdog /t REG_DWORD /d 1 /f
  2⤵
  PID:392
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v ExitLatencyCheckEnabled /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3908
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling /v PowerThrottlingOff /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4572
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism /v MagnetismUpdateIntervalInMilliseconds /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2620
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed /v CursorUpdateInterval /t REG_DWORD /d 1 /f
  2⤵
  PID:3980
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability /v TimeStampInterval /t REG_DWORD /d 0 /f
  2⤵
  PID:3780
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\Software\Microsoft\Windows\DWM /v CompositionPolicy /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2284
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\amdlog /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3836
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v DisableDMACopy /t REG_DWORD /d 1 /f
  2⤵
  PID:508
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v StutterMode /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2416
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v EnableUlps /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2544
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v PP_SclkDeepSleepDisable /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4460
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v PP_ThermalAutoThrottlingEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1168
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v DisableDrmdmaPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:1632
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows Nt\CurrentVersion\Multimedia\SystemProfilE\Tasks\Games /v GPU Priority /t REG_DWORD /d 8 /f
  2⤵
  PID:2340
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows Nt\CurrentVersion\Multimedia\SystemProfilE\Tasks\Games /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows Nt\CurrentVersion\Multimedia\SystemProfilE\Tasks\Games /v Scheduling Category /t REG_SZ /d High /f
  2⤵
  PID:2312
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\InputPersonalization /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f
  2⤵
  PID:396
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\InputPersonalization /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3788
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore /v HarvestContacts /t REG_DWORD /d 0 /f
  2⤵
  PID:2780
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Google\Chrome /v MetricsReportingEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4372
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports /v PreventHandwritingErrorReports /t REG_DWORD /d 1 /f
  2⤵
  PID:2612
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\Control Panel\International\User Profile /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
  2⤵
  PID:3372
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors /v DisableLocation /t REG_DWORD /d 1 /f
  2⤵
  PID:4972
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors /v DisableLocationScripting /t REG_DWORD /d 1 /f
  2⤵
  PID:3564
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors /v DisableSensors /t REG_DWORD /d 1 /f
  2⤵
  PID:1264
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors /v DisableWindowsLocationProvider /t REG_DWORD /d 1 /f
  2⤵
  PID:1188
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\lfsvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  - Modifies registry key
  PID:2136
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration /v Status /t REG_DWORD /d 0 /f
  2⤵
  PID:1196
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions /v SensorPermissionState /t REG_DWORD /d 0 /f
  2⤵
  PID:3848
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides /v SensorPermissionState /t REG_DWORD /d 0 /f
  2⤵
  PID:4720
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v AllowTelemetry /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4940
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Policies\Microsoft\Windows\DataCollection /v AllowTelemetry /t REG_DWORD /d 00000000 /f
  2⤵
  PID:2204
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat /v AITEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4312
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4616
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3904
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3008
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:3476
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat /v DisableInventory /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:5032
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows /v CEIPEnable /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3860
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\SQMClient /v CorporateSQMURL /t REG_SZ /d 0.0.0.0 /f
  2⤵
  PID:2760
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent /v DisableSoftLanding /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4188
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0 /v NoActiveHelp /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4380
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4708
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:1916
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4472
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\Siuf\Rules /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3672
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\Siuf\Rules /v PeriodInNanoSeconds /t REG_DWORD /d 0 /f
  2⤵
  PID:4424
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1076
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0 /v NoExplicitFeedback /t REG_DWORD /d 1 /f
  2⤵
  PID:4164
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences /v UsageTracking /t REG_DWORD /d 0 /f
  2⤵
  PID:2808
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer /v NoUseStoreOpenWith /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4820
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\FrameServer /v Start /t REG_DWORD /d 4 /f
  2⤵
  - Modifies registry key
  PID:3372
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\System\GameConfigStore /v GameDVR_FSEBehaviorMode /t REG_DWORD /d 2 /f
  2⤵
  PID:3496
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\System\GameConfigStore /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 0 /f
  2⤵
  PID:4060
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\System\GameConfigStore /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:2316
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\System\GameConfigStore /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4064
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Control\PriorityControl /v Win32PrioritySeparation /t REG_DWORD /d fff55555 /f
  2⤵
  PID:4840
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Control\Power /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4100
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2744
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVt\Channels\Microsoft-Windows-Superfetch/Main /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4216
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVt\Channels\Microsoft-Windows-Superfetch/PfApLog /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4264
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVt\Channels\Microsoft-Windows-Superfetch/StoreLog /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4800
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:2572
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled /v Value /t REG_SZ /d Deny /f
  2⤵
  - Modifies registry key
  PID:1188
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions /v CpuPriorityClass /t REG_DWORD /d 4 /f
  2⤵
  - Modifies registry key
  PID:1396
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v HwSchedMode /t REG_DWORD /d 2 /f
  2⤵
  - Modifies registry key
  PID:836
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management /v LargeSystemCache /t REG_DWORD /d 1 /f
  2⤵
  PID:1180
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\Control Panel\Mouse /v MouseHoverTime /t REG_SZ /d 0 /f
  2⤵
  PID:2192
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\Control Panel\Mouse /v MouseSensitivity /t REG_SZ /d 10 /f
  2⤵
  PID:2032
- C:\Windows\System32\reg.exe
  reg.exe add HKU\.DEFAULT\Control Panel\Mouse /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:1568
- C:\Windows\System32\reg.exe
  reg.exe add HKU\.DEFAULT\Control Panel\Mouse /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:2100
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\mouhid\Parameters /v TreatAbsolutePointerAsAbsolute /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4404
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\mouhid\Parameters /v TreatAbsoluteAsRelative /t REG_DWORD /d 0 /f
  2⤵
  PID:3980
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\Control Panel\Mouse /v SmoothMouseXCurve /t REG_BINARY /d 000000000000000000a0000000000000004001000000000000800200000000000000050000000000 /f
  2⤵
  PID:4572
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\Control Panel\Mouse /v SmoothMouseYCurve /t REG_BINARY /d 000000000000000066a6020000000000cd4c050000000000a0990a00000000003833150000000000 /f
  2⤵
  PID:3432
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Servicesmouclass\Parameters /v MouseDataQueueSize /t REG_DWORD /d 16 /f
  2⤵
  - Modifies registry key
  PID:3780
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters /v KeyboardDataQueueSize /t REG_DWORD /d 16 /f
  2⤵
  - Modifies registry key
  PID:2284
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management /v EnableCfg /t REG_DWORD /d 0 /f
  2⤵
  PID:3476
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management /v FeatureSettings /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1344
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile /v NoLazyMode /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2416
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\amdlog /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2544
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\TapiSrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:3892
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\FontCache3.0.0.0 /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4460
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\WpcMonSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2568
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\SEMgrSvc /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:4448
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\PNRPsvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4336
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\WEPHOSTSVC /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:2864
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\p2psvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:808
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\p2pimsvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:4272
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\PhoneSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:228
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\Wecsvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:4708
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\RmSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:540
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\SensorDataService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2600
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\SensrSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3752
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\perceptionsimulation /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:4824
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\StiSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:3672
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\OneSyncSvc /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:4424
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\ConsentUxUserSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4492
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\DevicePickerUserSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:1972
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:4008
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2808
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\WMPNetworkSvc /v Start /t REG_DWORD /d 3
  2⤵
  PID:4820
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\CaptureService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3908
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\autotimesvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4968
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\MessagingService /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:3524
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:1196
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2972
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\BcastDVRUserService /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:3200
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:2312
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationBrokerSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:2780
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\edgeupdatem /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4972
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\MicrosoftEdgeElevationService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\ALG /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3496
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\IpxlatCfgSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:4064
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\icssvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4840
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\DusmSvc /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:4264
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\MapsBroker /v Start /t REG_DWORD /d 2 /f
  2⤵
  - Modifies registry key
  PID:4916
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\SensorService /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:1188
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\svsvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3000
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\MSiSCSI /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3972
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\Netlogon /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:2568
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\CscService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:1956
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\AppReadiness /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:1964
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\wisvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:4716
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\lltdsvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2904
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\TrkWks /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\AppIDSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2972
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\CryptSvc /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:2400
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors /v DisableLocation /t REG_DWORD /d 0 /f
  2⤵
  PID:2928
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors /v DisableLocationScripting /t REG_DWORD /d 0 /f
  2⤵
  PID:2136
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors /v DisableSensors /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4528
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors /v DisableWindowsLocationProvider /t REG_DWORD /d 0 /f
  2⤵
  PID:1512
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\lfsvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:2160
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration /v Status /t REG_DWORD /d 1 /f
  2⤵
  PID:628
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions /v SensorPermissionState /t REG_DWORD /d 1 /f
  2⤵
  PID:4244
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides /v SensorPermissionState /t REG_DWORD /d 1 /f
  2⤵
  PID:4220
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\DiagTrack /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:3712
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\diagsvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:384
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\dmwappushsvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2720
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:2844
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\TroubleshootingSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:5088
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\DsSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:4820
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:1180
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer /v NoUseStoreOpenWith /t REG_DWORD /d 0 /f
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Services\FrameServer /v Start /t REG_DWORD /d 3 /f
  2⤵
  - Modifies registry key
  PID:1512
- C:\Windows\System32\reg.exe
  reg.exe add HKCU\System\GameConfigStore /v GameDVR_Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2160
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Policies\Microsoft\Windows /v AllowGameDVR /t REG_DWORD /d 1 /f
  2⤵
  PID:4064
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Control\PriorityControl /v Win32PrioritySeparation /t REG_DWORD /d 28 /f
  2⤵
  - Modifies registry key
  PID:4264
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters /v EnablePrefetcher /t REG_DWORD /d 1 /f
  2⤵
  PID:3104
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters /v EnablePrefetcher /t REG_DWORD /d 1 /f
  2⤵
  PID:1396
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVt\Channels\Microsoft-Windows-Superfetch/Main /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1188
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVt\Channels\Microsoft-Windows-Superfetch/PfApLog /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1028
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVt\Channels\Microsoft-Windows-Superfetch/StoreLog /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2248
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Servicesmouclass\Parameters /v MouseDataQueueSize /t REG_DWORD /d 100 /f
  2⤵
  PID:5112
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters /v KeyboardDataQueueSize /t REG_DWORD /d 100 /f
  2⤵
  - Modifies registry key
  PID:2844
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management /v FeatureSettingsOverride /t REG_DWORD /d 2 /f
  2⤵
  - Modifies registry key
  PID:2904
- C:\Windows\System32\reg.exe
  reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management /v FeatureSettingsOverrideMask /t REG_DWORD /d 2 /f
  2⤵
  PID:4528
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Application Name" /t REG_SZ /d "fortniteclient-win64-shipping.exe" /f
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "DSCP value" /t REG_SZ /d "46" /f
  2⤵
  PID:2196
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Local IP" /t REG_SZ /d "*" /f
  2⤵
  PID:2500
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f
  2⤵
  PID:628
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Local Port" /t REG_SZ /d "*" /f
  2⤵
  PID:3280
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Protocol" /t REG_SZ /d "UDP" /f
  2⤵
  PID:4612
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Remote IP" /t REG_SZ /d "*" /f
  2⤵
  PID:4944
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f
  2⤵
  PID:3892
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Remote Port" /t REG_SZ /d "*" /f
  2⤵
  PID:1564
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "throttle Rate" /t REG_SZ /d "-1" /f
  2⤵
  PID:4188
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "version" /t REG_SZ /d "1.0" /f
  2⤵
  PID:4896
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
  2⤵
  PID:2332
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:3780
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f
  2⤵
  PID:1028
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
  2⤵
  PID:2568
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:396
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f
  2⤵
  PID:1032
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:2312
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f
  2⤵
  PID:1640
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:4708
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f
  2⤵
  PID:2340
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f
  2⤵
  PID:3904
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f
  2⤵
  PID:4424
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f
  2⤵
  PID:4080
- C:\Windows\System32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f
  2⤵
  PID:4064
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
  2⤵
  PID:3848
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
  2⤵
  PID:1508
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
  2⤵
  PID:4160
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
  2⤵
  PID:2760
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f
  2⤵
  PID:1524
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
  2⤵
  PID:4124
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
  2⤵
  PID:540
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
  2⤵
  PID:2808
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f
  2⤵
  PID:2576
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f
  2⤵
  PID:4588
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f
  2⤵
  PID:2588
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f
  2⤵
  PID:4084
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f
  2⤵
  PID:3400
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f
  2⤵
  PID:4892
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f
  2⤵
  PID:4636
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f
  2⤵
  PID:4244
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:3640
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Tcp Autotuning Level" /t REG_SZ /d "Off" /f
  2⤵
  PID:3608
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Tcp Autotuning Level" /t REG_SZ /d "Highly Restricted" /f
  2⤵
  PID:836
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Tcp Autotuning Level" /t REG_SZ /d "Restricted" /f
  2⤵
  PID:384
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Tcp Autotuning Level" /t REG_SZ /d "Normal" /f
  2⤵
  PID:3476
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Application DSCP Marking Request" /t REG_SZ /d "Ignored" /f
  2⤵
  PID:4336
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Application DSCP Marking Request" /t REG_SZ /d "Allowed" /f
  2⤵
  PID:3972
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\QoS" /v "Do not use NLA" /t REG_SZ /d "1" /f
  2⤵
  PID:4972
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableUserTOSSetting" /t REG_DWORD /d "0" /f
  2⤵
  PID:4388
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "CorpLocationProbeTimeout" /t REG_DWORD /d "30" /f
  2⤵
  PID:2844
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "LdapTimeoutMs" /t REG_DWORD /d "5000" /f
  2⤵
  PID:2904
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "ShowDomainEndpointInterfaces" /t REG_DWORD /d "1" /f
  2⤵
  PID:1744
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "EnableNoGatewayLocationDetection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2340
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "MinimumInternetHopCount" /t REG_DWORD /d "2" /f
  2⤵
  PID:3904
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:2876
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:4292
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:1796
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\NVAPI" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:1508
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\NVTweak" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f
  2⤵
  PID:1384
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:2416
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance" /F /V "DisableDiagnosticTracing" /T REG_DWORD /d 1
  2⤵
  PID:2600
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /F /V "EventProcessorEnabled" /T REG_DWORD /d 0
  2⤵
  PID:4472
- C:\Windows\System32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /F /V "MonitorLatencyTolerance" /T REG_DWORD /d 0
  2⤵
  PID:5096
- C:\Windows\System32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /F /V "MonitorRefreshLatencyTolerance" /T REG_DWORD /d 0
  2⤵
  PID:736
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /F /V "MenuShowDelay" /T REG_SZ /d 0
  2⤵
  PID:3584
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "MouseSensitivity" /T REG_SZ /d 0
  2⤵
  PID:4680
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "SmoothMouseXCurve" /T REG_BINARY /d 0000000000000000C0CC0C0000000000809919000000000040662600000000000033330000000000
  2⤵
  PID:2808
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "SmoothMouseYCurve" /T REG_BINARY /d 0000000000000000000038000000000000007000000000000000A800000000000000E00000000000
  2⤵
  PID:2068
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "MouseSpeed" /T REG_SZ /d 0
  2⤵
  PID:4808
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "MouseThreshold1" /T REG_SZ /d 0
  2⤵
  PID:1264
- C:\Windows\System32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "MouseThreshold2" /T REG_SZ /d 0
  2⤵
  PID:3008
- C:\Windows\System32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "ConvertibleSlateMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4644
- C:\Windows\System32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "40" /f
  2⤵
  PID:184
- C:\Windows\System32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:4380
- C:\Windows\System32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:2544
- C:\Windows\System32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate" /v "value" /t REG_DWORD /d "1" /f
  2⤵
  PID:456
- C:\Windows\System32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f
  2⤵
  PID:3640
- C:\Windows\System32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f reg add "HKCU\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f
  2⤵
  PID:836
- C:\Windows\System32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d "9012038010020000" /f
  2⤵
  PID:3780
- C:\Windows\System32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:3476
- C:\Windows\System32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShellState" /t REG_BINARY /d "240000003E28000000000000000000000000000001000000130000000000000072000000" /f
  2⤵
  PID:3888
- C:\Windows\System32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "1" /f
  2⤵
  PID:4336
- C:\Windows\System32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f
  2⤵
  PID:3848
- C:\Windows\System32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f
  2⤵
  PID:4472
- C:\Windows\System32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
  2⤵
  PID:5096
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f
  2⤵
  PID:736
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:3584
- C:\Windows\System32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4588
- C:\Windows\System32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4404
- C:\Windows\System32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:548
- C:\Windows\System32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4128
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f
  2⤵
  PID:4388
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient" /v "CorporateSQMURL" /t REG_SZ /d "0.0.0.0" /f
  2⤵
  PID:2132
- C:\Windows\System32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "16" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "16" /f
  2⤵
  PID:4528
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic PATH Win32_PnPEntity GET DeviceID | findstr /l "USB\VID_"
  2⤵
  PID:4064
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_PnPEntity GET DeviceID
    3⤵
    PID:1856
- - C:\Windows\System32\findstr.exe
    findstr /l "USB\VID_"
    3⤵
    PID:4160
- C:\Windows\System32\reg.exe
  reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v SelectiveSuspendOn /t REG_DWORD /d 00000000 /f
  2⤵
  PID:2468
- C:\Windows\System32\reg.exe
  reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v SelectiveSuspendEnabled /t REG_BINARY /d 00 /f
  2⤵
  PID:3848
- C:\Windows\System32\reg.exe
  reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v EnhancedPowerManagementEnabled /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1604
- C:\Windows\System32\reg.exe
  reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v AllowIdleIrpInD3 /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic PATH Win32_USBHub GET DeviceID | findstr /l "USB\ROOT_HUB"
  2⤵
  PID:736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_USBHub GET DeviceID
    3⤵
    PID:2808
- - C:\Windows\System32\findstr.exe
    findstr /l "USB\ROOT_HUB"
    3⤵
    PID:3300
- C:\Windows\System32\reg.exe
  reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB20\4&3104EFD0&0\Device Parameters\WDF" /v IdleInWorkingState /t REG_DWORD /d 00000000 /f
  2⤵
  PID:932
- C:\Windows\System32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
  2⤵
  PID:4380
- C:\Windows\System32\netsh.exe
  netsh interface teredo set state disabled
  2⤵
  PID:5032
- C:\Windows\System32\netsh.exe
  netsh interface 6to4 set state disabled
  2⤵
  PID:4824
- C:\Windows\System32\netsh.exe
  netsh winsock reset
  2⤵
  PID:4440
- C:\Windows\System32\netsh.exe
  netsh int isatap set state disable
  2⤵
  PID:4608
- C:\Windows\System32\netsh.exe
  netsh int ip set global taskoffload=disabled
  2⤵
  PID:4892
- C:\Windows\System32\netsh.exe
  netsh int ip set global neighborcachelimit=4096
  2⤵
  PID:3512
- C:\Windows\System32\netsh.exe
  netsh int tcp set global timestamps=disabled
  2⤵
  PID:3884
- C:\Windows\System32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  PID:1344
- C:\Windows\System32\netsh.exe
  netsh int tcp set global autotuninglevel=disable
  2⤵
  PID:4456
- C:\Windows\System32\netsh.exe
  netsh int tcp set global chimney=disabled
  2⤵
  PID:4720
- C:\Windows\System32\netsh.exe
  netsh int tcp set global ecncapability=disabled
  2⤵
  PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3952 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3548 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4948 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5692 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4704 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffadb592e98,0x7ffadb592ea4,0x7ffadb592eb0
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2972 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3280 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3480 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4448 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4448 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4656 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2300 --field-trial-handle=2984,i,11838623443945918590,3760376823956242379,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4024

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4636

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3920

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery