997c25a854bcf345ee3514a2a062a0d49daaf031d9315b840570d13e0fdc8c2a

Analysis

max time kernel
128s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 14:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HoneCtrl (1).bat
Size

177KB
MD5

b1ee77ea41f9ee41793d18b06763aa25
SHA1

d372110f0c5880dfb545d7ed301ffaf331330831
SHA256

997c25a854bcf345ee3514a2a062a0d49daaf031d9315b840570d13e0fdc8c2a
SHA512

0da2149af99a1060cc3b75b8a952537f482df9f09e7ff8f0e54bf0c3018de8c24824e729f736729f6229e42790ad1505ff000d08181baa9db0a5d46b484592eb
SSDEEP

3072:9EcaeSeExbWLfVXxM4aNe1cKZCNP8R7RD19v6Y/MV9l9LO9uXPGW6EWu2dwOfimU:9EteSeExbWNZCNP8R7RD19vz6zjg+zhz

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4684	bcdedit.exe
3028	bcdedit.exe
1072	bcdedit.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 7 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
3644	SetTimerResolutionService.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	InstallUtil.exe
2512	InstallUtil.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com
47	raw.githubusercontent.com

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3932	sc.exe
636	sc.exe
4332	sc.exe
4452	sc.exe
4100	sc.exe
4636	sc.exe
1940	sc.exe
2068	sc.exe
4504	sc.exe
3048	sc.exe
4532	sc.exe
1124	sc.exe
3932	sc.exe
2356	sc.exe
4100	sc.exe
2600	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1364	reg.exe
3176	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4140	WMIC.exe
Token: SeSecurityPrivilege	4140	WMIC.exe
Token: SeTakeOwnershipPrivilege	4140	WMIC.exe
Token: SeLoadDriverPrivilege	4140	WMIC.exe
Token: SeSystemProfilePrivilege	4140	WMIC.exe
Token: SeSystemtimePrivilege	4140	WMIC.exe
Token: SeProfSingleProcessPrivilege	4140	WMIC.exe
Token: SeIncBasePriorityPrivilege	4140	WMIC.exe
Token: SeCreatePagefilePrivilege	4140	WMIC.exe
Token: SeBackupPrivilege	4140	WMIC.exe
Token: SeRestorePrivilege	4140	WMIC.exe
Token: SeShutdownPrivilege	4140	WMIC.exe
Token: SeDebugPrivilege	4140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4140	WMIC.exe
Token: SeRemoteShutdownPrivilege	4140	WMIC.exe
Token: SeUndockPrivilege	4140	WMIC.exe
Token: SeManageVolumePrivilege	4140	WMIC.exe
Token: 33	4140	WMIC.exe
Token: 34	4140	WMIC.exe
Token: 35	4140	WMIC.exe
Token: 36	4140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4140	WMIC.exe
Token: SeSecurityPrivilege	4140	WMIC.exe
Token: SeTakeOwnershipPrivilege	4140	WMIC.exe
Token: SeLoadDriverPrivilege	4140	WMIC.exe
Token: SeSystemProfilePrivilege	4140	WMIC.exe
Token: SeSystemtimePrivilege	4140	WMIC.exe
Token: SeProfSingleProcessPrivilege	4140	WMIC.exe
Token: SeIncBasePriorityPrivilege	4140	WMIC.exe
Token: SeCreatePagefilePrivilege	4140	WMIC.exe
Token: SeBackupPrivilege	4140	WMIC.exe
Token: SeRestorePrivilege	4140	WMIC.exe
Token: SeShutdownPrivilege	4140	WMIC.exe
Token: SeDebugPrivilege	4140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4140	WMIC.exe
Token: SeRemoteShutdownPrivilege	4140	WMIC.exe
Token: SeUndockPrivilege	4140	WMIC.exe
Token: SeManageVolumePrivilege	4140	WMIC.exe
Token: 33	4140	WMIC.exe
Token: 34	4140	WMIC.exe
Token: 35	4140	WMIC.exe
Token: 36	4140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe
Token: 35	2696	WMIC.exe
Token: 36	2696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 5080	2340	cmd.exe	84
PID 2340 wrote to memory of 5080	2340	cmd.exe	84
PID 2340 wrote to memory of 1364	2340	cmd.exe	86
PID 2340 wrote to memory of 1364	2340	cmd.exe	86
PID 2340 wrote to memory of 3048	2340	cmd.exe	87
PID 2340 wrote to memory of 3048	2340	cmd.exe	87
PID 2340 wrote to memory of 1064	2340	cmd.exe	88
PID 2340 wrote to memory of 1064	2340	cmd.exe	88
PID 2340 wrote to memory of 3176	2340	cmd.exe	89
PID 2340 wrote to memory of 3176	2340	cmd.exe	89
PID 2340 wrote to memory of 1576	2340	cmd.exe	90
PID 2340 wrote to memory of 1576	2340	cmd.exe	90
PID 2340 wrote to memory of 3164	2340	cmd.exe	97
PID 2340 wrote to memory of 3164	2340	cmd.exe	97
PID 2340 wrote to memory of 3524	2340	cmd.exe	98
PID 2340 wrote to memory of 3524	2340	cmd.exe	98
PID 2340 wrote to memory of 4848	2340	cmd.exe	99
PID 2340 wrote to memory of 4848	2340	cmd.exe	99
PID 2340 wrote to memory of 1060	2340	cmd.exe	100
PID 2340 wrote to memory of 1060	2340	cmd.exe	100
PID 2340 wrote to memory of 1764	2340	cmd.exe	101
PID 2340 wrote to memory of 1764	2340	cmd.exe	101
PID 2340 wrote to memory of 3876	2340	cmd.exe	102
PID 2340 wrote to memory of 3876	2340	cmd.exe	102
PID 2340 wrote to memory of 4824	2340	cmd.exe	103
PID 2340 wrote to memory of 4824	2340	cmd.exe	103
PID 2340 wrote to memory of 4872	2340	cmd.exe	104
PID 2340 wrote to memory of 4872	2340	cmd.exe	104
PID 2340 wrote to memory of 2128	2340	cmd.exe	105
PID 2340 wrote to memory of 2128	2340	cmd.exe	105
PID 2340 wrote to memory of 1428	2340	cmd.exe	106
PID 2340 wrote to memory of 1428	2340	cmd.exe	106
PID 2340 wrote to memory of 3496	2340	cmd.exe	107
PID 2340 wrote to memory of 3496	2340	cmd.exe	107
PID 2340 wrote to memory of 2304	2340	cmd.exe	108
PID 2340 wrote to memory of 2304	2340	cmd.exe	108
PID 2340 wrote to memory of 1676	2340	cmd.exe	109
PID 2340 wrote to memory of 1676	2340	cmd.exe	109
PID 1676 wrote to memory of 4140	1676	cmd.exe	110
PID 1676 wrote to memory of 4140	1676	cmd.exe	110
PID 1676 wrote to memory of 4808	1676	cmd.exe	111
PID 1676 wrote to memory of 4808	1676	cmd.exe	111
PID 2340 wrote to memory of 1652	2340	cmd.exe	112
PID 2340 wrote to memory of 1652	2340	cmd.exe	112
PID 2340 wrote to memory of 1252	2340	cmd.exe	113
PID 2340 wrote to memory of 1252	2340	cmd.exe	113
PID 2340 wrote to memory of 1972	2340	cmd.exe	114
PID 2340 wrote to memory of 1972	2340	cmd.exe	114
PID 2340 wrote to memory of 220	2340	cmd.exe	115
PID 2340 wrote to memory of 220	2340	cmd.exe	115
PID 220 wrote to memory of 2696	220	cmd.exe	116
PID 220 wrote to memory of 2696	220	cmd.exe	116
PID 220 wrote to memory of 760	220	cmd.exe	117
PID 220 wrote to memory of 760	220	cmd.exe	117
PID 2340 wrote to memory of 1888	2340	cmd.exe	118
PID 2340 wrote to memory of 1888	2340	cmd.exe	118
PID 2340 wrote to memory of 4320	2340	cmd.exe	119
PID 2340 wrote to memory of 4320	2340	cmd.exe	119
PID 2340 wrote to memory of 3740	2340	cmd.exe	120
PID 2340 wrote to memory of 3740	2340	cmd.exe	120
PID 2340 wrote to memory of 1056	2340	cmd.exe	121
PID 2340 wrote to memory of 1056	2340	cmd.exe	121
PID 1056 wrote to memory of 2640	1056	cmd.exe	122
PID 1056 wrote to memory of 2640	1056	cmd.exe	122

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\HoneCtrl (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:5080
- C:\Windows\system32\reg.exe
  reg add HKLM /F
  2⤵
  - Modifies registry key
  PID:1364
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3176
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "Disclaimer"
  2⤵
  PID:1576
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\HoneCTRL" /v "Disclaimer" /f
  2⤵
  PID:3164
- C:\Windows\system32\curl.exe
  curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/luke-beep/HoneCTRL/main/Files/HoneCTRLVersion"
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:4848
- C:\Windows\system32\mode.com
  Mode 65,16
  2⤵
  PID:1060
- C:\Windows\System32\choice.exe
  C:\Windows\System32\choice.exe /c:YN /n /m " >:"
  2⤵
  PID:1764
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c date /t
  2⤵
  PID:4824
- C:\Windows\system32\reg.exe
  reg export HKCU C:\HoneCTRL\HoneCTRLRevert\07.15.2024\HKLM.reg /y
  2⤵
  PID:4872
- C:\Windows\system32\reg.exe
  reg export HKCU C:\HoneCTRL\HoneCTRLRevert\07.15.2024\HKCU.reg /y
  2⤵
  PID:2128
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:1428
- C:\Windows\System32\choice.exe
  C:\Windows\System32\choice.exe /c:1234567XD /n /m " Select a corresponding number to the options above > "
  2⤵
  PID:3496
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4140
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:4808
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:1652
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:1252
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:760
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:1888
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4320
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /value
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
  2⤵
  PID:1500
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
    3⤵
    PID:2888
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NVTTweaks"
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
  2⤵
  PID:3760
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
    3⤵
    PID:3628
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2236
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
  2⤵
  PID:4172
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:1752
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
  2⤵
  PID:1852
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
  2⤵
  PID:212
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:696
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
  2⤵
  PID:4256
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:5048
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
  2⤵
  PID:3784
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
  2⤵
  PID:4408
- C:\Windows\system32\find.exe
  find "0x4"
  2⤵
  PID:4532
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
  2⤵
  PID:5092
- C:\Windows\system32\find.exe
  find "0x3"
  2⤵
  PID:4832
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AllGPUTweaks"
  2⤵
  PID:4048
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NpiTweaks"
  2⤵
  PID:1900
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "TCPIP"
  2⤵
  PID:5080
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NvidiaTweaks"
  2⤵
  PID:3908
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MemoryTweaks"
  2⤵
  PID:2600
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "InternetTweaks"
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "ServicesTweaks"
  2⤵
  PID:3392
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "DebloatTweaks"
  2⤵
  PID:1576
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MitigationsTweaks"
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AffinityTweaks"
  2⤵
  PID:1460
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
  2⤵
  PID:948
- C:\Windows\system32\reg.exe
  reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
  2⤵
  PID:4744
- C:\Windows\system32\find.exe
  find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
  2⤵
  PID:4928
- C:\Windows\system32\find.exe
  find "0x400"
  2⤵
  PID:216
- C:\Windows\system32\sc.exe
  sc query STR
  2⤵
  - Launches sc.exe
  PID:1940
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:636
- C:\Windows\system32\sc.exe
  sc query HoneCTRLAudio
  2⤵
  - Launches sc.exe
  PID:4452
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:1204
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_Battery Get BatteryStatus
  2⤵
  PID:3356
- C:\Windows\system32\find.exe
  find "1"
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
  2⤵
  PID:4280
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get VideoProcessor /value
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:1556
- C:\Windows\system32\find.exe
  find "GeForce"
  2⤵
  PID:5068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:5020
- C:\Windows\system32\find.exe
  find "NVIDIA"
  2⤵
  PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4032
- C:\Windows\system32\find.exe
  find "RTX"
  2⤵
  PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3924
- C:\Windows\system32\find.exe
  find "GTX"
  2⤵
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:1432
- C:\Windows\system32\find.exe
  find "AMD"
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3188
- C:\Windows\system32\find.exe
  find "Ryzen"
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4132
- C:\Windows\system32\find.exe
  find "Intel"
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:1020
- C:\Windows\system32\find.exe
  find "UHD"
  2⤵
  PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
  2⤵
  PID:3644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /value
    3⤵
    PID:540
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 5217772 /f
  2⤵
  PID:4848
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:3612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    PID:4988
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:4616
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:4884
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:1256
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:5088
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:880
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:2500
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:1528
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
  2⤵
  PID:3604
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /value
    3⤵
    PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
  2⤵
  PID:4900
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
    3⤵
    PID:4348
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NVTTweaks"
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
  2⤵
  PID:2696
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
    3⤵
    PID:760
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:220
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
  2⤵
  PID:2044
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4320
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
  2⤵
  PID:4944
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:2760
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
  2⤵
  PID:1656
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:4152
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
  2⤵
  PID:3148
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:3868
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
  2⤵
  PID:3628
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:3692
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
  2⤵
  PID:3760
- C:\Windows\system32\find.exe
  find "0x4"
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
  2⤵
  PID:1752
- C:\Windows\system32\find.exe
  find "0x3"
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AllGPUTweaks"
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NpiTweaks"
  2⤵
  PID:2672
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "TCPIP"
  2⤵
  PID:696
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NvidiaTweaks"
  2⤵
  PID:4248
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MemoryTweaks"
  2⤵
  PID:5048
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "InternetTweaks"
  2⤵
  PID:3784
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "ServicesTweaks"
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "DebloatTweaks"
  2⤵
  PID:4400
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MitigationsTweaks"
  2⤵
  PID:4532
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AffinityTweaks"
  2⤵
  PID:1844
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
  2⤵
  PID:4832
- C:\Windows\system32\reg.exe
  reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
  2⤵
  PID:4048
- C:\Windows\system32\find.exe
  find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
  2⤵
  PID:1364
- C:\Windows\system32\find.exe
  find "0x400"
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc query STR
  2⤵
  - Launches sc.exe
  PID:2600
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:3292
- C:\Windows\system32\sc.exe
  sc query HoneCTRLAudio
  2⤵
  - Launches sc.exe
  PID:4100
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:2200
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_Battery Get BatteryStatus
  2⤵
  PID:2684
- C:\Windows\system32\find.exe
  find "1"
  2⤵
  PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
  2⤵
  PID:3936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get VideoProcessor /value
    3⤵
    PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:464
- C:\Windows\system32\find.exe
  find "GeForce"
  2⤵
  PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3240
- C:\Windows\system32\find.exe
  find "NVIDIA"
  2⤵
  PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2904
- C:\Windows\system32\find.exe
  find "RTX"
  2⤵
  PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2392
- C:\Windows\system32\find.exe
  find "GTX"
  2⤵
  PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3016
- C:\Windows\system32\find.exe
  find "AMD"
  2⤵
  PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2488
- C:\Windows\system32\find.exe
  find "Ryzen"
  2⤵
  PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:232
- C:\Windows\system32\find.exe
  find "Intel"
  2⤵
  PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4584
- C:\Windows\system32\find.exe
  find "UHD"
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass /t Reg_DWORD /d "4" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4404
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority /t Reg_DWORD /d "3" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:348
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:2676
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "AlwaysOn" /t REG_DWORD /d "1" /f
  2⤵
  PID:4608
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f
  2⤵
  PID:1772
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
  2⤵
  PID:2356
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:4052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    PID:4684
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:1020
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:888
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:1872
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:3672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:1580
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:4464
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:3312
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4824
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
  2⤵
  PID:2128
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /value
    3⤵
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
  2⤵
  PID:4388
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
    3⤵
    PID:1444
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NVTTweaks"
  2⤵
  PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
  2⤵
  PID:1528
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
    3⤵
    PID:1548
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4344
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
  2⤵
  PID:4008
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:920
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
  2⤵
  PID:2228
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4348
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
  2⤵
  PID:1784
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:1344
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
  2⤵
  PID:220
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:3124
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
  2⤵
  PID:2044
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
  2⤵
  PID:1488
- C:\Windows\system32\find.exe
  find "0x4"
  2⤵
  PID:4776
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
  2⤵
  PID:3788
- C:\Windows\system32\find.exe
  find "0x3"
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AllGPUTweaks"
  2⤵
  PID:3148
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NpiTweaks"
  2⤵
  PID:3868
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "TCPIP"
  2⤵
  PID:3628
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NvidiaTweaks"
  2⤵
  PID:3692
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MemoryTweaks"
  2⤵
  PID:812
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "InternetTweaks"
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "ServicesTweaks"
  2⤵
  PID:5076
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "DebloatTweaks"
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MitigationsTweaks"
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AffinityTweaks"
  2⤵
  PID:2672
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
  2⤵
  PID:696
- C:\Windows\system32\reg.exe
  reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
  2⤵
  PID:4248
- C:\Windows\system32\find.exe
  find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
  2⤵
  PID:4384
- C:\Windows\system32\find.exe
  find "0x400"
  2⤵
  PID:1832
- C:\Windows\system32\sc.exe
  sc query STR
  2⤵
  - Launches sc.exe
  PID:4636
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:2572
- C:\Windows\system32\sc.exe
  sc query HoneCTRLAudio
  2⤵
  - Launches sc.exe
  PID:4532
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:376
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_Battery Get BatteryStatus
  2⤵
  PID:4880
- C:\Windows\system32\find.exe
  find "1"
  2⤵
  PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
  2⤵
  PID:5080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get VideoProcessor /value
    3⤵
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2596
- C:\Windows\system32\find.exe
  find "GeForce"
  2⤵
  PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:1460
- C:\Windows\system32\find.exe
  find "NVIDIA"
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4560
- C:\Windows\system32\find.exe
  find "RTX"
  2⤵
  PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4744
- C:\Windows\system32\find.exe
  find "GTX"
  2⤵
  PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:1016
- C:\Windows\system32\find.exe
  find "AMD"
  2⤵
  PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4596
- C:\Windows\system32\find.exe
  find "Ryzen"
  2⤵
  PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4264
- C:\Windows\system32\find.exe
  find "Intel"
  2⤵
  PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3964
- C:\Windows\system32\find.exe
  find "UHD"
  2⤵
  PID:652
- C:\Windows\system32\sc.exe
  sc config "STR" start= auto
  2⤵
  - Launches sc.exe
  PID:2068
- C:\Windows\system32\net.exe
  net start STR
  2⤵
  PID:676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start STR
    3⤵
    PID:1476
- C:\Windows\system32\curl.exe
  curl -g -L -# -o "C:\HoneCTRL\Resources\SetTimerResolutionService.exe" "https://github.com/luke-beep/HoneCTRL/raw/main/Files/SetTimerResolutionService.exe"
  2⤵
  PID:4280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /i SetTimerResolutionService.exe
  2⤵
  - Loads dropped DLL
  PID:2512
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d 1 /f REM Windows 11
  2⤵
  PID:5036
- C:\Windows\system32\sc.exe
  sc config "STR" start=auto
  2⤵
  - Launches sc.exe
  PID:4504
- C:\Windows\system32\net.exe
  net start STR
  2⤵
  PID:2276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start STR
    3⤵
    PID:1628
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disabledynamictick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4684
- C:\Windows\system32\bcdedit.exe
  bcdedit /deletevalue useplatformclock
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic OS get buildnumber /value
  2⤵
  PID:4464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get buildnumber /value
    3⤵
    PID:4872
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformtick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1072
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:1864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    PID:3496
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:2128
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:1824
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:428
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:4808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:1360
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:4008
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:4624
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
  2⤵
  PID:2004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /value
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
  2⤵
  PID:4088
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
    3⤵
    PID:2760
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NVTTweaks"
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
  2⤵
  PID:4152
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
    3⤵
    PID:2888
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4308
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
  2⤵
  PID:1868
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4292
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
  2⤵
  PID:3760
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:456
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
  2⤵
  PID:3620
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:1308
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
  2⤵
  PID:4572
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:832
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
  2⤵
  PID:2672
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:1012
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
  2⤵
  PID:5048
- C:\Windows\system32\find.exe
  find "0x4"
  2⤵
  PID:3828
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
  2⤵
  PID:4396
- C:\Windows\system32\find.exe
  find "0x3"
  2⤵
  PID:4868
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AllGPUTweaks"
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NpiTweaks"
  2⤵
  PID:2572
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "TCPIP"
  2⤵
  PID:4532
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NvidiaTweaks"
  2⤵
  PID:376
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MemoryTweaks"
  2⤵
  PID:3908
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "InternetTweaks"
  2⤵
  PID:4016
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "ServicesTweaks"
  2⤵
  PID:4048
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "DebloatTweaks"
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MitigationsTweaks"
  2⤵
  PID:3776
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AffinityTweaks"
  2⤵
  PID:5080
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
  2⤵
  PID:5024
- C:\Windows\system32\find.exe
  find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
  2⤵
  PID:3840
- C:\Windows\system32\find.exe
  find "0x400"
  2⤵
  PID:5100
- C:\Windows\system32\sc.exe
  sc query STR
  2⤵
  - Launches sc.exe
  PID:1124
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:2756
- C:\Windows\system32\sc.exe
  sc query HoneCTRLAudio
  2⤵
  - Launches sc.exe
  PID:3932
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:464
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_Battery Get BatteryStatus
  2⤵
  PID:1940
- C:\Windows\system32\find.exe
  find "1"
  2⤵
  PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
  2⤵
  PID:2904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get VideoProcessor /value
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:652
- C:\Windows\system32\find.exe
  find "GeForce"
  2⤵
  PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:928
- C:\Windows\system32\find.exe
  find "NVIDIA"
  2⤵
  PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2364
- C:\Windows\system32\find.exe
  find "RTX"
  2⤵
  PID:512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:1188
- C:\Windows\system32\find.exe
  find "GTX"
  2⤵
  PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4584
- C:\Windows\system32\find.exe
  find "AMD"
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4032
- C:\Windows\system32\find.exe
  find "Ryzen"
  2⤵
  PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3064
- C:\Windows\system32\find.exe
  find "Intel"
  2⤵
  PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:716
- C:\Windows\system32\find.exe
  find "UHD"
  2⤵
  PID:2676
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\HoneCTRL" /v "MSIModeTweaks" /f
  2⤵
  PID:3188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:2060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    PID:4132
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:4964
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:5036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    PID:4504
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:1376
- C:\Windows\system32\reg.exe
  reg delete "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:3552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:2884
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:3612
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:1920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:4388
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:1272
- C:\Windows\system32\reg.exe
  reg delete "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:2304
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:3128
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    PID:4344
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:1812
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:920
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:1528
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:1804
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:3504
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:220
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
  2⤵
  PID:1656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /value
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
  2⤵
  PID:4308
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
    3⤵
    PID:4152
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NVTTweaks"
  2⤵
  PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
  2⤵
  PID:4292
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
    3⤵
    PID:812
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1296
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
  2⤵
  PID:3768
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
  2⤵
  PID:212
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4760
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
  2⤵
  PID:4648
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:2308
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
  2⤵
  PID:5048
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
  2⤵
  PID:4396
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
  2⤵
  PID:4832
- C:\Windows\system32\find.exe
  find "0x4"
  2⤵
  PID:1844
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
  2⤵
  PID:1520
- C:\Windows\system32\find.exe
  find "0x3"
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AllGPUTweaks"
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NpiTweaks"
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "TCPIP"
  2⤵
  PID:3392
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NvidiaTweaks"
  2⤵
  PID:540
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MemoryTweaks"
  2⤵
  PID:1504
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "InternetTweaks"
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "ServicesTweaks"
  2⤵
  PID:3688
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "DebloatTweaks"
  2⤵
  PID:1096
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MitigationsTweaks"
  2⤵
  PID:2684
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AffinityTweaks"
  2⤵
  PID:5024
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
  2⤵
  PID:2216
- C:\Windows\system32\reg.exe
  reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
  2⤵
  PID:4928
- C:\Windows\system32\find.exe
  find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
  2⤵
  PID:1124
- C:\Windows\system32\find.exe
  find "0x400"
  2⤵
  PID:3812
- C:\Windows\system32\sc.exe
  sc query STR
  2⤵
  - Launches sc.exe
  PID:3932
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:3284
- C:\Windows\system32\sc.exe
  sc query HoneCTRLAudio
  2⤵
  - Launches sc.exe
  PID:636
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:1204
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_Battery Get BatteryStatus
  2⤵
  PID:1692
- C:\Windows\system32\find.exe
  find "1"
  2⤵
  PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
  2⤵
  PID:3356
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get VideoProcessor /value
    3⤵
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3296
- C:\Windows\system32\find.exe
  find "GeForce"
  2⤵
  PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4380
- C:\Windows\system32\find.exe
  find "NVIDIA"
  2⤵
  PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:512
- C:\Windows\system32\find.exe
  find "RTX"
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2160
- C:\Windows\system32\find.exe
  find "GTX"
  2⤵
  PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2532
- C:\Windows\system32\find.exe
  find "AMD"
  2⤵
  PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4584
- C:\Windows\system32\find.exe
  find "Ryzen"
  2⤵
  PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3064
- C:\Windows\system32\find.exe
  find "Intel"
  2⤵
  PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:716
- C:\Windows\system32\find.exe
  find "UHD"
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
  2⤵
  PID:3780
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
  2⤵
  PID:1964
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
  2⤵
  PID:4132
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
  2⤵
  PID:4964
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve" /t REG_BINARY /d "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000" /f
  2⤵
  PID:3368
- C:\Windows\system32\control.exe
  control.exe desk.cpl,Settings,@Settings
  2⤵
  PID:888
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL desk.cpl,Settings,@Settings
    3⤵
    - Checks computer location settings
    PID:4504
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" ms-settings:display
      4⤵
      PID:4616
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseXCurve" /t REG_BINARY /d "0000000000000000C0CC0C0000000000809919000000000040662600000000000033330000000000" /f
  2⤵
  PID:1832
- C:\Windows\system32\cmd.exe
  cmd /V:ON /C @echo off
  2⤵
  PID:516
- C:\Windows\system32\mode.com
  Mode 65,16
  2⤵
  PID:4636
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:376
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:4288
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    PID:4048
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:3176
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:4312
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:3688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:4676
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:1460
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:4928
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4744
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
  2⤵
  PID:4452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /value
    3⤵
    PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
  2⤵
  PID:1068
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
    3⤵
    PID:4304
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NVTTweaks"
  2⤵
  PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
  2⤵
  PID:4924
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
    3⤵
    PID:4080
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2316
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
  2⤵
  PID:780
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:928
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
  2⤵
  PID:1556
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:2364
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
  2⤵
  PID:1476
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:1188
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
  2⤵
  PID:3280
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4776
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
  2⤵
  PID:3004
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:1884
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
  2⤵
  PID:4568
- C:\Windows\system32\find.exe
  find "0x4"
  2⤵
  PID:4916
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
  2⤵
  PID:784
- C:\Windows\system32\find.exe
  find "0x3"
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AllGPUTweaks"
  2⤵
  PID:4608
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NpiTweaks"
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "TCPIP"
  2⤵
  PID:4852
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NvidiaTweaks"
  2⤵
  PID:1340
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MemoryTweaks"
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "InternetTweaks"
  2⤵
  PID:3220
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "ServicesTweaks"
  2⤵
  PID:2424
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "DebloatTweaks"
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MitigationsTweaks"
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AffinityTweaks"
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
  2⤵
  PID:3444
- C:\Windows\system32\reg.exe
  reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
  2⤵
  PID:3432
- C:\Windows\system32\find.exe
  find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
  2⤵
  PID:692
- C:\Windows\system32\reg.exe
  reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
  2⤵
  PID:1156
- C:\Windows\system32\find.exe
  find "0x400"
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  sc query STR
  2⤵
  - Launches sc.exe
  PID:2356
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:4132
- C:\Windows\system32\sc.exe
  sc query HoneCTRLAudio
  2⤵
  - Launches sc.exe
  PID:4332
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:4672
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_Battery Get BatteryStatus
  2⤵
  PID:1400
- C:\Windows\system32\find.exe
  find "1"
  2⤵
  PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
  2⤵
  PID:4764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get VideoProcessor /value
    3⤵
    PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3312
- C:\Windows\system32\find.exe
  find "GeForce"
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2236
- C:\Windows\system32\find.exe
  find "NVIDIA"
  2⤵
  PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:1804
- C:\Windows\system32\find.exe
  find "RTX"
  2⤵
  PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4624
- C:\Windows\system32\find.exe
  find "GTX"
  2⤵
  PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4400
- C:\Windows\system32\find.exe
  find "AMD"
  2⤵
  PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4396
- C:\Windows\system32\find.exe
  find "Ryzen"
  2⤵
  PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4060
- C:\Windows\system32\find.exe
  find "Intel"
  2⤵
  PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3048
- C:\Windows\system32\find.exe
  find "UHD"
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo [93mN/A "
  2⤵
  PID:2660
- C:\Windows\system32\find.exe
  find "N/A"
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\HoneCTRL" /v "AllGPUTweaks" /f
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode"
  2⤵
  PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s | findstr "HKEY"
  2⤵
  PID:2208
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s
    3⤵
    PID:5024
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4676
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1016
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:3848
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:4136
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
  2⤵
  PID:3796
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
  2⤵
  PID:1140
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:1088
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t Reg_DWORD /d "4" /f
  2⤵
  PID:3800
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t Reg_DWORD /d "4" /f
  2⤵
  PID:4264
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnablePreemption" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4080
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:1492
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get PNPDeviceID
    3⤵
    PID:780
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:2220
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:232
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:2160
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:1884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:3208
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:4584
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
  2⤵
  PID:1468
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:3924
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
  2⤵
  PID:4852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /value
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
  2⤵
  PID:3220
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
    3⤵
    PID:2424
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NVTTweaks"
  2⤵
  PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
  2⤵
  PID:4856
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
    3⤵
    PID:4124
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4828
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
  2⤵
  PID:3608
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4812
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
  2⤵
  PID:1156
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:4484
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
  2⤵
  PID:4456
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:4964
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
  2⤵
  PID:3368
- C:\Windows\system32\find.exe
  find "0x1"
  2⤵
  PID:5112
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
  2⤵
  PID:1376
- C:\Windows\system32\find.exe
  find "0x0"
  2⤵
  PID:2036
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
  2⤵
  PID:3600
- C:\Windows\system32\find.exe
  find "0x4"
  2⤵
  PID:5020
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
  2⤵
  PID:3628
- C:\Windows\system32\find.exe
  find "0x3"
  2⤵
  PID:1528
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AllGPUTweaks"
  2⤵
  PID:1296
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NpiTweaks"
  2⤵
  PID:1852
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "TCPIP"
  2⤵
  PID:3736
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "NvidiaTweaks"
  2⤵
  PID:3576
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MemoryTweaks"
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "InternetTweaks"
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "ServicesTweaks"
  2⤵
  PID:3748
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "DebloatTweaks"
  2⤵
  PID:4408
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "MitigationsTweaks"
  2⤵
  PID:4636
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "AffinityTweaks"
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
  2⤵
  PID:1452
- C:\Windows\system32\reg.exe
  reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
  2⤵
  PID:4240
- C:\Windows\system32\find.exe
  find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
  2⤵
  PID:1364
- C:\Windows\system32\reg.exe
  reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
  2⤵
  PID:376
- C:\Windows\system32\find.exe
  find "0x400"
  2⤵
  PID:516
- C:\Windows\system32\sc.exe
  sc query STR
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc query HoneCTRLAudio
  2⤵
  - Launches sc.exe
  PID:4100
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:3176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_Battery Get BatteryStatus
  2⤵
  PID:4628
- C:\Windows\system32\find.exe
  find "1"
  2⤵
  PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
  2⤵
  PID:4140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get VideoProcessor /value
    3⤵
    PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:5100
- C:\Windows\system32\find.exe
  find "GeForce"
  2⤵
  PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2208
- C:\Windows\system32\find.exe
  find "NVIDIA"
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3812
- C:\Windows\system32\find.exe
  find "RTX"
  2⤵
  PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4596
- C:\Windows\system32\find.exe
  find "GTX"
  2⤵
  PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4796
- C:\Windows\system32\find.exe
  find "AMD"
  2⤵
  PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:4508
- C:\Windows\system32\find.exe
  find "Ryzen"
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:2316
- C:\Windows\system32\find.exe
  find "Intel"
  2⤵
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
  2⤵
  PID:3272
- C:\Windows\system32\find.exe
  find "UHD"
  2⤵
  PID:1556

C:\HoneCTRL\Resources\SetTimerResolutionService.exe
"C:\HoneCTRL\Resources\SetTimerResolutionService.exe"
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HoneCTRL\Resources\SetTimerResolutionService.exe

Filesize
5KB

MD5
1f0556808bdb4bee6617212841616946

SHA1
f9981d0d4c6d9598411df3410ba32622f7ccc0d8

SHA256
004cb6e0fb1a27cd676582de32ea26fd901bc35adcab06511a3475eddbdfb0fe

SHA512
d5faaf420e90b91c0d9bc7d4374fa8547211b5bf28201681b2fe76153fc965ca38b0e18a32afc562b2ff55f8c6a5d3b1544cb6cb4962d2f8d14c9cd2cc3097a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.bat

Filesize
14B

MD5
3ec4d92cfdc86f8ede0d362125733c69

SHA1
c68d3a824599ddb60f17cbf8134fdcfa26fec821

SHA256
1ade7fa03670cc4fa84a29ad99b131fb7a17267d38f7b7108b31aa8463096401

SHA512
6383ae89e3e825f0fd98a20ace5865a39866a0eb25d68dffd6824d4db0dec956d54b60f58c61cfe1de304f0985caaa5334461c83ed490e4ebb2a65e96d39acb0

Download Submit
memory/2512-4-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2512-5-0x0000000004EC0000-0x0000000004EDA000-memory.dmp

Filesize
104KB

Download
memory/2512-9-0x0000000004EF0000-0x0000000004EF8000-memory.dmp

Filesize
32KB

Download
memory/2512-20-0x0000000004F80000-0x0000000004FA2000-memory.dmp

Filesize
136KB

Download
memory/2512-21-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/2512-22-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/2512-26-0x0000000005030000-0x0000000005042000-memory.dmp

Filesize
72KB

Download
memory/2512-27-0x0000000005090000-0x00000000050CC000-memory.dmp

Filesize
240KB

Download
memory/3644-43-0x0000000000F80000-0x0000000000F88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads