hxxps://cdn[.]discordapp[.]com/attachments/850854604554895461/1271993054978379877/zion[.]exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1&

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	zion.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zion.exe

Modifies boot configuration data using bcdedit 20 IoCs

pid	Process
2764	bcdedit.exe
4584	bcdedit.exe
984	bcdedit.exe
1480	bcdedit.exe
4256	bcdedit.exe
4520	bcdedit.exe
2104	bcdedit.exe
1288	bcdedit.exe
3628	bcdedit.exe
1724	bcdedit.exe
2740	bcdedit.exe
3740	bcdedit.exe
4300	bcdedit.exe
812	bcdedit.exe
3560	bcdedit.exe
4452	bcdedit.exe
2220	bcdedit.exe
4324	bcdedit.exe
1480	bcdedit.exe
5004	bcdedit.exe

Disables taskbar notifications via registry modification
evasion
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\MitigationOptions = 22222222222222222222222222222222	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\MitigationOptions = 22222222222222222222222222222222	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\MitigationOptions = 22222222222222222222222222222222	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\MitigationOptions = 22222222222222222222222222222222	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\MitigationOptions = 22222222222222222222222222222222	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\MitigationOptions = 22222222222222222222222222222222	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe

Possible privilege escalation attempt 18 IoCs

exploit

pid	Process
2824	icacls.exe
1644	takeown.exe
2620	takeown.exe
4004	takeown.exe
3604	takeown.exe
4404	icacls.exe
1248	icacls.exe
1800	icacls.exe
4420	takeown.exe
964	icacls.exe
4028	icacls.exe
3656	icacls.exe
220	takeown.exe
2376	takeown.exe
2220	icacls.exe
980	takeown.exe
3936	icacls.exe
4348	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	zion.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2528	zion.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
220	takeown.exe
2824	icacls.exe
1248	icacls.exe
4420	takeown.exe
3936	icacls.exe
4348	takeown.exe
1644	takeown.exe
3656	icacls.exe
2376	takeown.exe
964	icacls.exe
4004	takeown.exe
980	takeown.exe
4028	icacls.exe
2620	takeown.exe
2220	icacls.exe
3604	takeown.exe
1800	icacls.exe
4404	icacls.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

defense_evasion persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zion.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2036	powershell.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	OneDriveSetup.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zion.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Power Settings 1 TTPs 18 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1688	powercfg.exe
3304	reg.exe
4636	powercfg.exe
1692	powercfg.exe
652	powercfg.exe
2592	powercfg.exe
3120	powercfg.exe
2624	powercfg.exe
3548	reg.exe
2812	cmd.exe
4356	powercfg.exe
3612	powercfg.exe
916	powercfg.exe
4544	powercfg.exe
4052	powercfg.exe
2744	powercfg.exe
5032	powercfg.exe
3436	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "0"	zion.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\MI92C9~1.0_X\Assets\NOTIFI~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI10D6~1.0_X\APPXSI~1.P7X	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\models\en-GB.PhoneNumber.ot	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\Images\SUGGES~1\PUSHPI~2.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\CONTRA~2\LOGOSC~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\AppList.targetsize-48_altform-unplated_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI6712~1.SCA\APPXSI~1.P7X	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Logos\SQUARE~3\PAINTA~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\SC7949~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID540~1.SCA\Assets\CONTRA~1\MIXEDR~2.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI6F49~1.0_X\MSASIG~1.WIN	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI67C7~1.0_X\Assets\SC3856~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.contrast-white_targetsize-30.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONE746~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\images\OneNoteNotebookMedTile.scale-400.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~2\BADGEL~4.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DELETE~1\MI3AA8~1.SCA\APPXMA~1.XML	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI33D2~1.0_X\skypert.dll	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HX182E~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\Car\RTL\CONTRA~1\LARGET~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIAA44~1.0_X\Assets\AppTiles\STFCCA~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\184.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID483~1.0_X\APPXSI~1.P7X	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI05FA~1.0_X\Assets\ST4E69~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONDCEB~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\DIRECT~1\Home\RTL\CONTRA~1\WIDETI~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\16.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MICROS~4.0_X\Assets\CONTRA~1\AP04D0~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\LargeTile.scale-400_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\SplashScreen.scale-200_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI33D2~1.0_X\REACTA~1\assets\RNApp\app\uwp\images\MS-LOG~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A7F~1.0_X\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HxA-Advanced-Dark.scale-400.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GAEE59~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DELETE~1\MI3AA8~1.SCA\Assets\CONTRA~2\WIDELO~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID53B~1.0_X\APPXMA~1.XML	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI8AAC~1.0_X\SYSTEM~3.DLL	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~1\BA0B9B~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID54F~1.0_X\CircularProgressBar.xbf	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI4E99~1.0_X\Assets\WINDOW~1\WI8530~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\en-gb\LOCIMA~1\offsymb.ttf	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIAA44~1.0_X\RESOUR~1\RETAIL~1\data\en-us\1.jpg	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Images\Stickers\THUMBN~1\STF9B2~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~2\WideTile.scale-200_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\RUNNIN~2.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VOF249~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\MSPTLS~1.DLL	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.contrast-black_targetsize-36.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\AppTiles\CONTRA~2\MAPSST~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\CONTRA~1\WEATHE~4.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIEA2E~1.0_X\APPXMA~1.XML	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VO5682~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GAA992~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DELETE~1\MIA289~1.SCA\Assets\InsiderHubLargeTile.scale-125.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI33D2~1.0_X\Assets\Audio\SKAFE7~1.M4A	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI33D2~1.0_X\Assets\Images\SK344A~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.targetsize-60.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\GE5DAD~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DELETE~1\MI20B0~1.SCA\APPXBL~1.XML	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONA00C~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI46F3~1.0_X\Assets\CONTRA~2\PE1BB7~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\FETCHI~3.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VoiceRecorderAppList.contrast-white_targetsize-96.png	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\MainPage.xaml	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\formatWorker.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\slick.grid.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.SEC\pris\resources.el-GR.pri	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\tree_icons.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\frontend\host\api\data\i_alertinfo.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\Assets\Square44x44Logo.scale-200.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\resources.uk-UA.pri	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-200_contrast-white.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars39.contrast-black_scale-200.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\17.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\Fonts\ECMDL2.ttf	cmd.exe
File opened for modification	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\pris\resources.es-ES.pri	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\i_error.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\uk-UA\assets\ERRORP~1\DisableAboutFlag.htm	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.targetsize-32.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Toolkit.dll	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\frontend\host\api\data\helpErrorBox.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_frame_grouping.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\stringResources.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-150.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\it-IT\assets\ERRORP~1\pdferrorneedcontentlocally.html	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\ProvisionedApplicationsWhite.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\media\HelloFaceAnimation.gif	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentDiscoveryError.html	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square71x71Logo.contrast-white_scale-100.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\ecsystem.dll	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\TabControl\sharedTabControl.css	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\pdferrorquitapplicationguard.html	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\templateStyle.css	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobekeyboard-vm.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-400_contrast-white.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.SEC\Assets\SplashScreen.scale-200.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartselection_clear_disabled.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\ja-JP\assets\ERRORP~1\pdferrorofflineaccessdenied.html	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\hololensDiagnostics\views\hololensDiagnostics.html	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\js\unifiedEnrollmentFinishedPage.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-32_altform-unplated_contrast-white.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-400.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\es-ES\assets\ERRORP~1\ErrorPageStyles.css	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\ja-JP\assets\ERRORP~1\http_400.htm	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\LockScreenLogo.scale-200.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-frame-template.html	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\lib\knockout-winjs-wrapper.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeeula-data.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\Assets\1X1.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\080a\tokens_esMX.xml	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeprovisioningentry-data.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-24_contrast-black.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-40_contrast-white.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64_altform-unplated_contrast-white.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.targetsize-48.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Assets\StoreLogo.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\http_404.htm	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\PPIRemovableStorageDevicesSquareTile44x44.scale-400.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\pris\resources.fr-FR.pri	cmd.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SCREEN~1\SCREEN~1\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SCREEN~1\SCREEN~1\Assets\StoreLogo.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\memoryAnalyzer.f12.css	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\clearCookies.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartselection_clear.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\es-ES\assets\ERRORP~1\invalidcert.htm	cmd.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2036	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe

Modifies Control Panel 34 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\StickyKeys\Flags = "506"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1000"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseThreshold1 = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MinAnimate = "0"	zion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\ContactVisualization = "0"	zion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\GestureVisualization = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\HungAppTimeout = "1000"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WaitToKillAppTimeout = "1000"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Sound\Beep = "No"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Sound\ExtendedSounds = "No"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MaxAnimate = "0"	zion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\MenuShowDelay = "0"	zion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SlateLaunch\LaunchAT = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\DynamicScrollbars = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\FontSmoothing = "0"	zion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MinAnimate = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseSpeed = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseThreshold2 = "0"	zion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SlateLaunch\ATapp	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\FSTextEffect = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\WindowsEffect = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseSensitivity = "10"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\AutoEndTasks = "1"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\Flags = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "0"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\DragFullWindows = "0"	zion.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\UserPreferencesMask = 9012038010000000	zion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseHoverTime = "0"	zion.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133678123241711731"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{A7126D4C-F492-4EB9-8A2A-F673DBDD3334}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{FAC14B75-7862-4CEB-BE41-F53945A61C17}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\FileSyncClient.AutoPlayHandler\shell	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\FileSyncClient.FileSyncClient	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\SYNCENGINESTORAGEPROVIDERHANDLERPROXY.SYNCENGINESTORAGEPROVIDERHANDLERPROXY\CURVER	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter"	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\WIN32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\PROGID	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = 4f12242f895bd461c879f1e773d97c8ee816e4b5a37737ac6216dd9bb9e3a2bb	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR	OneDriveSetup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 226754.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1924	msedge.exe
1924	msedge.exe
4100	msedge.exe
4100	msedge.exe
4212	identity_helper.exe
4212	identity_helper.exe
2108	msedge.exe
2108	msedge.exe
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe
2528	zion.exe
2528	zion.exe
2528	zion.exe
3000	OneDriveSetup.exe
3000	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
1324	OneDriveSetup.exe
2528	zion.exe
3608	chrome.exe
3608	chrome.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	zion.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3612	powercfg.exe
Token: SeCreatePagefilePrivilege	3612	powercfg.exe
Token: SeShutdownPrivilege	916	powercfg.exe
Token: SeCreatePagefilePrivilege	916	powercfg.exe
Token: SeShutdownPrivilege	4544	powercfg.exe
Token: SeCreatePagefilePrivilege	4544	powercfg.exe
Token: SeShutdownPrivilege	4052	powercfg.exe
Token: SeCreatePagefilePrivilege	4052	powercfg.exe
Token: SeShutdownPrivilege	2744	powercfg.exe
Token: SeCreatePagefilePrivilege	2744	powercfg.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	2592	powercfg.exe
Token: SeCreatePagefilePrivilege	2592	powercfg.exe
Token: SeShutdownPrivilege	5032	powercfg.exe
Token: SeCreatePagefilePrivilege	5032	powercfg.exe
Token: SeShutdownPrivilege	1692	powercfg.exe
Token: SeCreatePagefilePrivilege	1692	powercfg.exe
Token: SeShutdownPrivilege	652	powercfg.exe
Token: SeCreatePagefilePrivilege	652	powercfg.exe
Token: SeShutdownPrivilege	3120	powercfg.exe
Token: SeCreatePagefilePrivilege	3120	powercfg.exe
Token: SeShutdownPrivilege	2624	powercfg.exe
Token: SeCreatePagefilePrivilege	2624	powercfg.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeShutdownPrivilege	4356	powercfg.exe
Token: SeCreatePagefilePrivilege	4356	powercfg.exe
Token: SeDebugPrivilege	2528	zion.exe
Token: SeTakeOwnershipPrivilege	220	takeown.exe
Token: SeTakeOwnershipPrivilege	3604	takeown.exe
Token: SeTakeOwnershipPrivilege	4420	takeown.exe
Token: SeIncreaseQuotaPrivilege	3000	OneDriveSetup.exe
Token: SeManageVolumePrivilege	1412	svchost.exe
Token: SeDebugPrivilege	1644	SearchApp.exe
Token: SeDebugPrivilege	1644	SearchApp.exe
Token: SeDebugPrivilege	1644	SearchApp.exe
Token: SeDebugPrivilege	1644	SearchApp.exe
Token: SeDebugPrivilege	1644	SearchApp.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeDebugPrivilege	4388	taskmgr.exe
Token: SeSystemProfilePrivilege	4388	taskmgr.exe
Token: SeCreateGlobalPrivilege	4388	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
1644	SearchApp.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2528	zion.exe
2528	zion.exe
1644	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4548	4100	msedge.exe	84
PID 4100 wrote to memory of 4548	4100	msedge.exe	84
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 2832	4100	msedge.exe	85
PID 4100 wrote to memory of 1924	4100	msedge.exe	86
PID 4100 wrote to memory of 1924	4100	msedge.exe	86
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87
PID 4100 wrote to memory of 3740	4100	msedge.exe	87

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLanguageFeaturesUninstall = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard = "1"	zion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLinguisticDataCollection = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "1"	zion.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0"	zion.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc8c046f8,0x7ffdc8c04708,0x7ffdc8c04718
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1228

C:\Users\Admin\Downloads\zion.exe
"C:\Users\Admin\Downloads\zion.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2528
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" /restoredefaultschemes
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -duplicatescheme 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 00000000-0000-0000-0000-000000000000
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setactive 00000000-0000-0000-0000-000000000000
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -changename 00000000-0000-0000-0000-000000000000 "ZION Tweaking"
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 54533251-82be-4824-96c1-47b60b740d00 921becee-fb48-4e16-8c5c-9b8997d07bce 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 0cc5b647-c1df-4637-891a-dec35c318583 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 5d76a2ca-e8c0-402f-a133-2158492d58ad 0
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 75b0ae3f-bce9-490a-80b1-aef3b9f7b8fe 5d76a2ca-e8c0-402f-a133-2158492d58ad 0
  2⤵
  - Power Settings
  PID:1688
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 5ca83367-6e45-459f-a27b-476b1d01c936 8ba3d6a4-fe92-4783-84ef-5650e77f1ef6 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setactive 00000000-0000-0000-0000-000000000000
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setacvalueindex scheme_current sub_processor 5d76a2ca-e8c0-402f-a133-2158492d58ad 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setactive scheme_current
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:4508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:3440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:1248
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hyperkbd" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\hyperkbd" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hypervideo" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:800
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\hypervideo" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\gencounter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\gencounter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmgid" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vmgid" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\storflt" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4108
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\storflt" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\bttflt" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:652
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\bttflt" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vpci" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\vpci" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hvservice" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\hvservice" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hvcrash" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\hvcrash" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C devmanview /disable "Remote Desktop Device Redirector Bus"
  2⤵
  PID:4960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disable8dot3 1 >NUL 2>&1
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set disable8dot3 1
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior query memoryusage >NUL 2>&1
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior query memoryusage
    3⤵
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set memoryusage 2 >NUL 2>&1
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set memoryusage 2
    3⤵
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set mftzone 4 >NUL 2>&1
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set mftzone 4
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disabledeletenotify 0 >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4080
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set disabledeletenotify 0
    3⤵
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set encryptpagingfile 0 >NUL 2>&1
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set encryptpagingfile 0
    3⤵
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f > NUL 2>&1
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:5040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f
    3⤵
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f >NUL 2>&1
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f
    3⤵
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f >NUL 2>&1
  2⤵
  PID:232
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f >NUL 2>&1
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    3⤵
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
    3⤵
    PID:2832
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Themes" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:4452
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\AcpiDev" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2400
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\CAD" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2804
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\CldFlt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2012
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\FileCrypt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:4300
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2996
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\PptpMiniport" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2904
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RapiMgr" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2016
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RasAgileVpn" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Rasl2tp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:8
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RasSstp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:4828
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wanarp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2624
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\wanarpv6" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:3364
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wdnsfltr" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:1412
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WcesComm" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:4324
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wcifs" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:840
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wcnfs" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:3960
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WindowsTrustedRT" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2884
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WindowsTrustedRTProxy" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
  2⤵
  PID:2732
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:3848
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:3140
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:2824
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:1992
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:3304
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\HidUsb\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:4040
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:3440
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:1496
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\mouhid\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbccgp\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbehci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:916
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbhub\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:812
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:4180
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbohci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:3976
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbuhci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:5012
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:1368
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:3144
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
  2⤵
  PID:1220
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:3908
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:4596
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\disk\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:2140
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\iaStorAC\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\iaStorAVC\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:488
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Ntfs\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:4544
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\storahci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:1248
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\stornvme\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:2892
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:2592
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v "MagnetismUpdateIntervalInMilliseconds" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:1504
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorUpdateInterval" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:1884
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AlpcWakePolicy" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:5108
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:3336
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v ContentEvaluation /t REG_DWORD /d "0" /f > NUL 2>&1
  2⤵
  PID:1528
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:3560
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ShowStatus" /t REG_DWORD /d "3" /f >NUL 2>&1
  2⤵
  PID:5008
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ExtraIconsOnMinimized" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:1904
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Transparency" /t REG_DWORD /d "255" /f >NUL 2>&1
  2⤵
  PID:1516
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Label" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:3684
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\HighContrast" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4976
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
  2⤵
  PID:1344
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
  2⤵
  PID:3740
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\SoundSentry" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
  2⤵
  PID:2740
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
  2⤵
  PID:4564
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\TimeOut" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
  2⤵
  PID:4384
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
  2⤵
  PID:4904
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneShowAllFolders" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:2100
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f >NUL 2>&1
  2⤵
  PID:4392
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" DELETE "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f >NUL 2>&1
  2⤵
  PID:2088
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d "00000000" /f >NUL 2>&1
  2⤵
  PID:3320
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "186" /f >NUL 2>&1
  2⤵
  PID:2268
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f >NUL 2>&1
  2⤵
  PID:2616
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f >NUL 2>&1
  2⤵
  PID:2852
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d "2" /f >NUL 2>&1
  2⤵
  PID:892
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:3088
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Language Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1
  2⤵
  PID:4440
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1
  2⤵
  PID:1984
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Layout Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1
  2⤵
  PID:4908
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:5004
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\AppEvents\Schemes" /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3920
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DelayedDesktopSwitchTimeout" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:3376
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCANetwork" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:4080
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCANetwork" /f >NUL 2>&1
  2⤵
  PID:3260
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_LargeMFUIcons" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4016
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:232
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "2" /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\Gwx" /v "DisableGwx" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:1272
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:5096
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:4636
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:2056
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Peernet" /v "Disabled" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:3332
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Internet Explorer\Main" /v "DEPOff" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:3460
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseActionCenterExperience" /t REG_DWORD /d "0" /f > NUL 2>&1
  2⤵
  PID:1612
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f > NUL 2>&1
  2⤵
  PID:4184
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices" /v "TCGSecurityActivationDisabled" /t REG_DWORD /d "0" /f > NUL 2>&1
  2⤵
  PID:3712
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f > NUL 2>&1
  2⤵
  PID:4484
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f > NUL 2>&1
  2⤵
  PID:1720
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d "0" /f > NUL 2>&1
  2⤵
  PID:2508
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f > NUL 2>&1
  2⤵
  PID:1192
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f > NUL 2>&1
  2⤵
  PID:4812
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /deletevalue useplatformclock
  2⤵
  PID:4376
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /deletevalue useplatformclock
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2764
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set useplatformtick yes
  2⤵
  PID:2028
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set useplatformtick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4584
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set disabledynamictick yes
  2⤵
  PID:1460
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set disabledynamictick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:984
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set tscsyncpolicy Enhanced
  2⤵
  PID:2296
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set tscsyncpolicy Enhanced
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1480
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootdebug No
  2⤵
  PID:4620
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set bootdebug No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4256
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootlog No
  2⤵
  PID:732
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set bootlog No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4520
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootux disabled
  2⤵
  PID:2376
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set bootux disabled
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2104
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set debug No
  2⤵
  PID:4932
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set debug No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1288
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set disableelamdrivers Yes
  2⤵
  PID:2628
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set disableelamdrivers Yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3628
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off
  2⤵
  PID:4880
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1724
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set integrityservices disable
  2⤵
  PID:1660
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set integrityservices disable
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2740
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set quietboot yes
  2⤵
  PID:3940
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set quietboot yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3740
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set tpmbootentropy ForceDisable
  2⤵
  PID:1392
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set tpmbootentropy ForceDisable
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4300
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /timeout 3
  2⤵
  PID:388
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /timeout 3
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:812
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000067 true
  2⤵
  PID:2012
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {globalsettings} custom:16000067 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3560
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000069 true
  2⤵
  PID:1720
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {globalsettings} custom:16000069 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4452
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000068 true
  2⤵
  PID:2852
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {globalsettings} custom:16000068 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disable8dot3 1 >NUL 2>&1
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set disable8dot3 1
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:4508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior query memoryusage >NUL 2>&1
  2⤵
  PID:5100
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior query memoryusage
    3⤵
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set memoryusage 2 >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:984
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set memoryusage 2
    3⤵
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set mftzone 4 >NUL 2>&1
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set mftzone 4
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disabledeletenotify 0 >NUL 2>&1
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set disabledeletenotify 0
    3⤵
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set encryptpagingfile 0 >NUL 2>&1
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set encryptpagingfile 0
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f > NUL 2>&1
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f
    3⤵
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1
  2⤵
  PID:4916
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f
    3⤵
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f >NUL 2>&1
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f
    3⤵
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f >NUL 2>&1
  2⤵
  PID:892
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f >NUL 2>&1
  2⤵
  PID:840
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"
    3⤵
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f >NUL 2>&1
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off
  2⤵
  PID:4184
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C FOR /F %%a in ('WMIC PATH Win32_USBHub GET DeviceID^| FINDSTR /L "VID_"') DO ( REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "EnhancedPowerManagementEnabled" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "AllowIdleIrpInD3" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D1Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D2Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D3Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "DeviceSelectiveSuspended" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "SelectiveSuspendEnabled" /T REG_DWORD /d 0 >NUL 2>&1 ECHO Disabling USB idling for %%a )
  2⤵
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C FOR /F "tokens=*" %%a in ('REG QUERY "HKLM\SYSTEM\CurrentControlSet\Enum" /S /F "StorPort"^| FINDSTR /E "StorPort"') DO ( REG ADD "%%a" /F /V "EnableIdlePowerManagement" /T REG_DWORD /d 0 >NUL 2>&1 FOR /F "tokens=*" %%z IN ("%%a") DO ( SET STR=%%z SET STR=!STR:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\=! SET STR=!STR:\Device Parameters\StorPort=! ECHO Disabling StorPort Idling for !STR! ) )
  2⤵
  PID:368
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off
  2⤵
  PID:3612
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1480
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubDelay" /t REG_DWORD /d "0" /f
  2⤵
  PID:2056
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:4248
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "18" /f
  2⤵
  PID:3712
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubThreshold" /t REG_DWORD /d "0" /f
  2⤵
  PID:1368
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubType" /t REG_DWORD /d "2" /f
  2⤵
  PID:3560
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValue" /t REG_DWORD /d "100" /f
  2⤵
  PID:4960
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMaximum" /t REG_DWORD /d "100" /f
  2⤵
  PID:3364
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMinimum" /t REG_DWORD /d "100" /f
  2⤵
  PID:2296
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueStep" /t REG_DWORD /d "0" /f
  2⤵
  PID:388
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefault" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCurrent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4424
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuePrevious" /t REG_DWORD /d "0" /f
  2⤵
  PID:2624
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNext" /t REG_DWORD /d "0" /f
  2⤵
  PID:2968
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueLast" /t REG_DWORD /d "0" /f
  2⤵
  PID:2180
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueFirst" /t REG_DWORD /d "0" /f
  2⤵
  PID:3516
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:1820
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueIndex" /t REG_DWORD /d "42" /f
  2⤵
  PID:1092
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueName" /t REG_DWORD /d "0" /f
  2⤵
  PID:2716
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDescription" /t REG_DWORD /d "0" /f
  2⤵
  PID:1072
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4688
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueVisible" /t REG_DWORD /d "1" /f
  2⤵
  PID:4420
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueHidden" /t REG_DWORD /d "0" /f
  2⤵
  PID:4180
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadOnly" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadnv11" /t REG_DWORD /d "0" /f
  2⤵
  PID:1528
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuenv11Only" /t REG_DWORD /d "0" /f
  2⤵
  PID:1956
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueExecute" /t REG_DWORD /d "0" /f
  2⤵
  PID:1856
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNoExecute" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3460
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueSystem" /t REG_DWORD /d "0" /f
  2⤵
  PID:2884
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueUser" /t REG_DWORD /d "0" /f
  2⤵
  PID:4508
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "100" /f
  2⤵
  PID:3428
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1876
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "0" /f
  2⤵
  PID:2732
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCustom" /t REG_DWORD /d "0" /f
  2⤵
  PID:4536
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAuto" /t REG_DWORD /d "1" /f
  2⤵
  PID:1536
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueManual" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAutomatic" /t REG_DWORD /d "1" /f
  2⤵
  PID:5096
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabledByDefault" /t REG_DWORD /d "1" /f
  2⤵
  PID:1804
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabledByDefault" /t REG_DWORD /d "0" /f
  2⤵
  PID:2012
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2508
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:964
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f
  2⤵
  PID:2444
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f
  2⤵
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f
    3⤵
    PID:3320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f
    3⤵
    PID:3548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f
    3⤵
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f
    3⤵
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f
    3⤵
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f
    3⤵
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f
    3⤵
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f
    3⤵
    PID:1660
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
  2⤵
  PID:4052
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:2824
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:1324
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:4184
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:1040
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:2560
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:3296
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
  2⤵
  PID:1956
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:4420
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
  2⤵
  PID:1392
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:3364
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:936
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:368
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2232
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:4300
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:2352
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:3680
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
  2⤵
  PID:1660
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
  2⤵
  PID:2584
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
  2⤵
  PID:1596
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:984
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
  2⤵
  PID:3908
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
  2⤵
  PID:4384
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:4584
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:2716
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
  2⤵
  PID:4688
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
  2⤵
  PID:3260
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
  2⤵
  PID:4596
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
  2⤵
  PID:3120
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
  2⤵
  PID:2376
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:3140
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
  2⤵
  PID:4080
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
  2⤵
  PID:3684
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
  2⤵
  - Power Settings
  PID:3548
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
  2⤵
  - Power Settings
  PID:3304
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:1984
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:3644
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4016
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:964
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:3512
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:232
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:1164
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:8
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:732
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
  2⤵
  PID:1272
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
  2⤵
  PID:2792
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1460
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f
  2⤵
  PID:2600
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f
  2⤵
  PID:2024
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f
  2⤵
  PID:5096
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
  2⤵
  PID:1520
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f
  2⤵
  PID:3428
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1528
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PortThreadPriority" /t REG_DWORD /d "00000001" /f >nul 2>&1
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PortThreadPriority" /t REG_DWORD /d "00000001" /f
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PriorityClass" /t REG_DWORD /d "00000001" /f >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PriorityClass" /t REG_DWORD /d "00000001" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit -set disabledynamictick yes
  2⤵
  PID:3088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit -set useplatformtick yes
  2⤵
  PID:3872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 437 > nul
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\chcp.com
    chcp 437
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C PowerShell "ForEach($v in (Get-Command -Name 'Set-ProcessMitigation').Parameters['Disable'].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "ForEach($v in (Get-Command -Name 'Set-ProcessMitigation').Parameters['Disable'].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4688
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
    3⤵
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
    3⤵
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
    3⤵
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
  2⤵
  PID:744
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
    3⤵
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:668
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
    3⤵
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:3292
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
    3⤵
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
    3⤵
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
    3⤵
    PID:392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
    3⤵
    PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4968
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
    3⤵
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
    3⤵
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4584
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
    3⤵
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
    3⤵
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1416
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
    3⤵
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
  2⤵
  - Power Settings
  PID:2812
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
    3⤵
    - Power Settings
    PID:3436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
    3⤵
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
    3⤵
    PID:3304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
    3⤵
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
    3⤵
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f > nul 2>&1
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f
    3⤵
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:4876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f > nul 2>&1
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
    3⤵
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
    3⤵
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
  2⤵
  PID:3296
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:3320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f > nul 2>&1
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
    3⤵
    PID:3336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3784
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
    3⤵
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:3548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f
    3⤵
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
  2⤵
  PID:368
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f
    3⤵
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:392
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f > nul 2>&1
  2⤵
  PID:3436
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4920
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
    3⤵
    PID:3428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
    3⤵
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f
    3⤵
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f > nul 2>&1
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
  2⤵
  PID:3364
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:732
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f > nul 2>&1
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
    3⤵
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
  2⤵
  PID:4620
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4508
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
  2⤵
  PID:2900
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:4576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f > nul 2>&1
  2⤵
  PID:3996
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1
  2⤵
  PID:3512
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1324
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
    3⤵
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f
    3⤵
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:3508
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f > nul 2>&1
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
  2⤵
  PID:4540
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
    3⤵
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1
  2⤵
  PID:3332
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
  2⤵
  PID:2232
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f > nul 2>&1
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f
    3⤵
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f > nul 2>&1
  2⤵
  PID:180
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
    3⤵
    PID:3440
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootux disabled
  2⤵
  PID:3740
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set bootux disabled
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:5036
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe" -setacvalueindex scheme_current sub_processor THROTTLING 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}" /f
  2⤵
  PID:1520
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{56CA197F-543C-40DC-953C-B9C6196C92A5}" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1572
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0948A341-8E1E-479F-A667-6169E4D5CB2A}" /f
  2⤵
  PID:3508
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0948A341-8E1E-479F-A667-6169E4D5CB2A}" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{56CA197F-543C-40DC-953C-B9C6196C92A5}" /f
  2⤵
  PID:1596
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BraveSoftwareUpdateTaskMachineCore" /f
  2⤵
  PID:180
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BraveSoftwareUpdateTaskMachineUA" /f
  2⤵
  PID:392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SystemApps" /A & ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\Windows\SystemApps" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4348
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\ProgramData\Packages" /A & ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)
  2⤵
  PID:840
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\ProgramData\Packages" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1644
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A & ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2620
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files\WindowsApps" /A & ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\Program Files\WindowsApps" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A & ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)
  2⤵
  PID:3304
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2376
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A & ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)
  2⤵
  PID:5036
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4004
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows" /A & ICACLS "C:\Windows" /GRANT Administrators:(F)
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\Windows" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\Windows" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\System32" /A & ICACLS "C:\Windows\System32" /GRANT Administrators:(F)
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\Windows\System32" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\Windows\System32" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SysWOW64" /A & ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\takeown.exe
    TAKEOWN /F "C:\Windows\SysWOW64" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:980
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3936
- C:\Windows\SysWOW64\OneDriveSetup.exe
  "C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-355097885-2402257403-2971294179-1000
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
    3⤵
    - Modifies system executable filetype association
    - Drops desktop.ini file(s)
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1324
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
      4⤵
      Modifies registry class
      PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\helpPane.exe"
  2⤵
  PID:4356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\backgroundtaskhost.exe"
  2⤵
  PID:3492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\EaseOfAccessDialog.exe"
  2⤵
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\RuntimeBroker.exe"
  2⤵
  PID:1936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSClient.dll"
  2⤵
  PID:1200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSCollect.exe"
  2⤵
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamebarpresencewriter.exe"
  2⤵
  PID:4632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamepanel.exe"
  2⤵
  PID:4560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\magnify.exe"
  2⤵
  PID:4548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mblctr.exe"
  2⤵
  PID:488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\sdiagnhost.exe"
  2⤵
  PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mobsync.exe"
  2⤵
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\msdt.exe"
  2⤵
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\narrator.exe"
  2⤵
  PID:1828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\osk.exe"
  2⤵
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\smartscreen.exe"
  2⤵
  PID:4348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\backgroundtaskhost.exe"
  2⤵
  PID:3688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\EaseOfAccessDialog.exe"
  2⤵
  PID:3712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\WSClient.dll"
  2⤵
  PID:824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamebarpresencewriter.exe"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamepanel.exe"
  2⤵
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\magnify.exe"
  2⤵
  PID:116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\mobsync.exe"
  2⤵
  PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerCPLApp.cpl"
  2⤵
  PID:3088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerApp.exe"
  2⤵
  PID:4456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Windows\SystemApps"
  2⤵
  - Drops file in Windows directory
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\Packages"
  2⤵
  PID:388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Packages"
  2⤵
  PID:1324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files\WindowsApps"
  2⤵
  - Drops file in Program Files directory
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files (x86)\Microsoft"
  2⤵
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps"
  2⤵
  PID:4248

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:5004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdb8f3cc40,0x7ffdb8f3cc4c,0x7ffdb8f3cc58
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3184,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4892,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3444,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:776

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4172

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2776

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy
1⤵
PID:4384

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3616

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1288

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery