Analysis
-
max time kernel
299s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 11:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66bbfe58&is=66baacd8&hm=23be3bc044a0addcacc2d93ae68130068dedb84c1c0c0d75f896135efb9d4b96&
Resource
win10v2004-20240802-en
General
-
Target
https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66bbfe58&is=66baacd8&hm=23be3bc044a0addcacc2d93ae68130068dedb84c1c0c0d75f896135efb9d4b96&
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
zion.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" zion.exe -
Processes:
zion.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zion.exe -
Modifies boot configuration data using bcdedit 20 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 5780 bcdedit.exe 5864 bcdedit.exe 5952 bcdedit.exe 6108 bcdedit.exe 6036 bcdedit.exe 6132 bcdedit.exe 5140 bcdedit.exe 5160 bcdedit.exe 4092 bcdedit.exe 5144 bcdedit.exe 5424 bcdedit.exe 5288 bcdedit.exe 5484 bcdedit.exe 5540 bcdedit.exe 5384 bcdedit.exe 5476 bcdedit.exe 5556 bcdedit.exe 5520 bcdedit.exe 5308 bcdedit.exe 5952 bcdedit.exe -
Disables taskbar notifications via registry modification
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe -
Possible privilege escalation attempt 18 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2680 icacls.exe 3532 icacls.exe 3944 takeown.exe 2548 takeown.exe 5852 icacls.exe 3960 takeown.exe 4208 takeown.exe 852 icacls.exe 5160 icacls.exe 5152 takeown.exe 3572 takeown.exe 8 takeown.exe 4352 takeown.exe 5684 takeown.exe 5700 icacls.exe 5356 icacls.exe 5608 icacls.exe 5744 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
zion.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation zion.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 2 IoCs
Processes:
zion.exenvidiaProfileInspector.exepid process 2584 zion.exe 2876 nvidiaProfileInspector.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 5852 icacls.exe 5608 icacls.exe 3572 takeown.exe 5744 icacls.exe 8 takeown.exe 3532 icacls.exe 2548 takeown.exe 4352 takeown.exe 852 icacls.exe 3944 takeown.exe 4208 takeown.exe 5700 icacls.exe 3960 takeown.exe 5684 takeown.exe 5152 takeown.exe 5160 icacls.exe 5356 icacls.exe 2680 icacls.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
OneDriveSetup.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe -
Processes:
zion.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zion.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zion.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
OneDriveSetup.exedescription ioc process File opened for modification C:\Users\Admin\OneDrive\desktop.ini OneDriveSetup.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
Processes:
zion.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zion.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Power Settings 1 TTPs 18 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exereg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exereg.execmd.exepowercfg.exepowercfg.exereg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 716 powercfg.exe 2292 powercfg.exe 1860 reg.exe 3056 powercfg.exe 3700 powercfg.exe 680 powercfg.exe 1600 powercfg.exe 3548 powercfg.exe 5352 reg.exe 4188 cmd.exe 4504 powercfg.exe 1796 powercfg.exe 6116 reg.exe 440 powercfg.exe 4804 powercfg.exe 5664 powercfg.exe 1496 powercfg.exe 1012 powercfg.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
zion.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "0" zion.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\COLLEC~1\CONTRA~1\SMALLT~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\CONTRA~1\LARGEL~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~2\423x173\9.jpg cmd.exe File opened for modification C:\Program Files\WindowsApps\MI7414~1.SCA\Assets\CAAC96~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HxMailAppList.targetsize-256.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\AppTiles\CONTRA~1\MAPSWI~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~2\210x173\6.jpg cmd.exe File opened for modification C:\Program Files\WindowsApps\MIEA2E~1.0_X\clrcompression.dll cmd.exe File opened for modification C:\Program Files\WindowsApps\MIF104~1.0_X\Assets\AL1A1F~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MID54F~1.0_X\WebviewOffline.html cmd.exe File opened for modification C:\Program Files\WindowsApps\MI5A81~1.0_N\APPXME~1\APPXBU~1.XML cmd.exe File opened for modification C:\Program Files\WindowsApps\MI83BA~1.0_X\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI9A5E~1.0_X\RESOUR~1.PRI cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\EmptyView-Dark.scale-200.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\DIFF_M~1.DLL cmd.exe File opened for modification C:\Program Files\WindowsApps\MI5AAA~1.0_X\MSVCP1~2.DLL cmd.exe File opened for modification C:\Program Files\WindowsApps\MID54F~1.0_X\MICROS~1.MEC\Assets\Fonts\MEMMDL~1.TTF cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HX39E1~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HX0C29~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\DELETE~1\MIE788~1.SCA\Assets\Images\Ratings\YELP9S~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MID483~1.0_X\Assets\GetStartedLargeTile.scale-100.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MIEA2E~1.0_X\Assets\SQ9998~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HxA-Generic-Dark.scale-400.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MIC647~1.0_X\Assets\GAMESX~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ON1043~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI9F1A~1.SCA\Assets\CONTRA~2\SmallTile.scale-100_contrast-white.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HXBDCC~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HxCalendarAppList.targetsize-20.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI0A7F~1.0_X\Assets\CONTRA~2\AP0EFF~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI0E28~1.0_X\MICROS~1.DLL cmd.exe File opened for modification C:\Program Files\WindowsApps\MIA333~1.0_X\APPXBL~1.XML cmd.exe File opened for modification C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~2\AppList.scale-200_contrast-white.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VoiceRecorderAppList.contrast-black_targetsize-72.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI67C7~1.0_X\Assets\TI477F~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\AppList.targetsize-96.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~1\AppList.targetsize-36_contrast-black.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\Images\PRINTA~1\GL2A3F~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MIBE99~1.0_X\RESOUR~1.PRI cmd.exe File opened for modification C:\Program Files\WindowsApps\DELETE~1\MICC29~1.SCA\Assets\VOD804~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI05FA~1.0_X\Assets\WIDE31~3.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI46F3~1.0_X\Assets\CONTRA~2\PeopleAppList.targetsize-20.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI10D6~1.0_X\Assets\CONTRA~1\BadgeLogo.scale-400_contrast-black.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MICROS~1.SCA\Assets\AppTiles\CONTRA~2\Weather_SplashScreen.scale-100.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI8F5F~1.SCA\Assets\TIMERM~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\GEFE78~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\BadgeLogo.scale-150.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\OutlookAccount.scale-100.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HX6CCD~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MIBE99~1.0_X\GAMERP~1.WIN cmd.exe File opened for modification C:\Program Files\WindowsApps\DELETE~1\MIE788~1.SCA\Assets\SECOND~1\DIRECT~1\Place\RTL\CONTRA~1\MEDTIL~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\offsymk.ttf cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\HX52EE~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\OFFICE~3.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ON66C6~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI67C7~1.0_X\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png cmd.exe File opened for modification C:\Program Files\WindowsApps\MIAA44~1.0_X\Assets\AppTiles\CONTRA~2\STOREL~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GAFBFD~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ON5831~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\DIRECT~1\Car\RTL\CONTRA~1\MEDTIL~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\TRAFFI~1\CONTRA~1\SMALLT~1.PNG cmd.exe File opened for modification C:\Program Files\WindowsApps\MI4327~1.0_X\Assets\AppIcon.png cmd.exe File opened for modification C:\Program Files\WindowsApps\DELETE~1\MI20B0~1.SCA\APPXBL~1.XML cmd.exe File opened for modification C:\Program Files\WindowsApps\MIC2D2~1.0_X\APPXBL~1.XML cmd.exe File opened for modification C:\Program Files\WindowsApps\MI83BA~1.0_X\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-white.png cmd.exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\css\xbox-ui-dark.css cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\js\unifiedEnrollmentProgressPage.js cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\pris\resources.ja-JP.pri cmd.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-16_altform-unplated_contrast-black.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\25.txt cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\badgeAlert.png cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\it-IT\assets\ERRORP~1\pdferror.html cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\ja-JP\assets\ERRORP~1\forbidframingedge.htm cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\js\controls\Divider.css cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\it-IT\assets\ERRORP~1\acr_error.htm cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\uk-UA\assets\ERRORP~1\http_400.htm cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.scale-150.png cmd.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-100.png cmd.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\Fonts\GetSMDL.ttf cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\Assets\SplashScreen.Theme-Dark_Scale-140.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\Assets\SplashScreen.scale-100.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile150x150.scale-200.png cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\BadgeLogo.scale-100.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile71x71.scale-200.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\Assets\StoreLogo.scale-100.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\CapturePicker.exe cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\28.js cmd.exe File opened for modification C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\Assets\Square44x44Logo.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\toolwindow.f12.css cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\http_gen.htm cmd.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSplashScreen.scale-100_contrast-black.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\resources.es-ES.pri cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AppxManifest.xml cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\Assets\SquareTile310x150.scale-100.png cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\es-ES\assets\ERRORP~1\pdferrorunknownerror.html cmd.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\OnlinePage.xbf cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\8.js cmd.exe File opened for modification C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\MainPage.xbf cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AppxManifest.xml cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\microsoftAccount.js cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0c0c\tokens_frCA.xml cmd.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SCREEN~1\ScreenClippingHost.exe cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\addEventBreakpoint.png cmd.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-200_contrast-white.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-100_contrast-white.png cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\acr_error.htm cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\uk-UA\assets\ERRORP~1\acr_error.htm cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Experiences\PreInstalledApps\DefaultSquareTileLogo1.contrast-black_scale-140.png cmd.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-60_altform-unplated_contrast-white.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0809\tokens_enGB.xml cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\Assets\DoubleClick.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\eventTracepointDisabled.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\xhrBreakpoint.png cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square150x150Logo.contrast-black_scale-200.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-48_altform-unplated.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\7.js cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square310x310Logo.contrast-white_scale-100.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\ResourcesView\resourcesView.css cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\require-helpers.js cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Experiences\PreInstalledApps\DefaultSquareTileLogo1.scale-180.png cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap.xml cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\GazeInteraction.dll cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars31.scale-200.png cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.targetsize-48_altform-unplated.png cmd.exe File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\it-IT\assets\ERRORP~1\pdferrorquitapplicationguard.html cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\OEMRegistration.html cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\pris\resources.de-DE.pri cmd.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobelocalaccount-main.html cmd.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-48_altform-unplated_contrast-white.png cmd.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.exereg.exereg.exereg.exereg.execmd.execmd.execmd.execmd.exereg.execmd.execmd.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exereg.execmd.exereg.exereg.execmd.exereg.execmd.execmd.exereg.exereg.execmd.exereg.execmd.exeFileSyncConfig.exereg.exereg.exereg.exereg.execmd.execmd.exereg.exereg.execmd.execmd.execmd.exereg.execmd.execmd.exereg.execmd.exereg.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileSyncConfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
Processes:
SearchApp.exechrome.exemsedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies Control Panel 34 IoCs
Processes:
zion.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\UserPreferencesMask = 9012038010000000 zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\StickyKeys\Flags = "506" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1" zion.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\SlateLaunch\LaunchAT = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\SoundSentry\Flags = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\SoundSentry\FSTextEffect = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122" zion.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Cursors\ContactVisualization = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1000" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\SlateLaunch\ATapp zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Sound\Beep = "No" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\MenuShowDelay = "0" zion.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\SoundSentry\WindowsEffect = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Mouse\MouseThreshold1 = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\DragFullWindows = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WindowMetrics\MinAnimate = "0" zion.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ForegroundLockTimeout = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Mouse\MouseSpeed = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\DynamicScrollbars = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\FontSmoothing = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "0" zion.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WindowMetrics\MinAnimate = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\HungAppTimeout = "1000" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Mouse\MouseSensitivity = "10" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Sound\ExtendedSounds = "No" zion.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Cursors\GestureVisualization = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Mouse\MouseHoverTime = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Mouse\MouseThreshold2 = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WindowMetrics\MaxAnimate = "0" zion.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillAppTimeout = "1000" zion.exe -
Processes:
SearchApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
chrome.exechrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133680236690572859" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 64 IoCs
Processes:
OneDriveSetup.exeSearchApp.exeFileSyncConfig.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\VERSIONINDEPENDENTPROGID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\NumberOfSubdomains = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Discrete;Continuous" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR en-US Lts Lexicon" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200" SearchApp.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\FLAGS OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\FILESYNCCLIENT.AUTOPLAYHANDLER\CURVER OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{AF60000F-661D-472A-9588-F062F6DB7A0E}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\WIN32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\SYNCENGINECOMSERVER.SYNCENGINECOMSERVER\CURVER OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\WIN32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - en-US Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{2984A9DB-5689-43AD-877D-14999A15DD46}" SearchApp.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32 OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56" SearchApp.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\PROGID OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\INTERFACE\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{F0440F4E-4884-4A8F-8A45-BA89C00F96F2}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\FILESYNCCLIENT.AUTOPLAYHANDLER\SHELL\IMPORT\DROPTARGET OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\INTERFACE\{466F31F7-9892-477E-B189-FA5C59DE3603}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\BANNERNOTIFICATIONHANDLER.BANNERNOTIFICATIONHANDLER.1\CLSID OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\WOW6432NODE\INTERFACE\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_CLASSES\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\PROXYSTUBCLSID32 OneDriveSetup.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 121859.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exezion.exechrome.exeOneDriveSetup.exeOneDriveSetup.exetaskmgr.exechrome.exepid process 5012 msedge.exe 5012 msedge.exe 4056 msedge.exe 4056 msedge.exe 2704 identity_helper.exe 2704 identity_helper.exe 224 msedge.exe 224 msedge.exe 3812 powershell.exe 3812 powershell.exe 3812 powershell.exe 2584 zion.exe 2584 zion.exe 2584 zion.exe 2376 chrome.exe 2376 chrome.exe 6052 OneDriveSetup.exe 6052 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 5352 OneDriveSetup.exe 2584 zion.exe 2584 zion.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 3408 chrome.exe 3408 chrome.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe 5612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
zion.exepid process 2584 zion.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exechrome.exechrome.exepid process 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 3408 chrome.exe 3408 chrome.exe 3408 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exezion.exetakeown.exetakeown.exetakeown.exechrome.exeOneDriveSetup.exedescription pid process Token: SeShutdownPrivilege 3056 powercfg.exe Token: SeCreatePagefilePrivilege 3056 powercfg.exe Token: SeShutdownPrivilege 4504 powercfg.exe Token: SeCreatePagefilePrivilege 4504 powercfg.exe Token: SeShutdownPrivilege 3700 powercfg.exe Token: SeCreatePagefilePrivilege 3700 powercfg.exe Token: SeShutdownPrivilege 716 powercfg.exe Token: SeCreatePagefilePrivilege 716 powercfg.exe Token: SeShutdownPrivilege 1496 powercfg.exe Token: SeCreatePagefilePrivilege 1496 powercfg.exe Token: SeShutdownPrivilege 1496 powercfg.exe Token: SeCreatePagefilePrivilege 1496 powercfg.exe Token: SeShutdownPrivilege 440 powercfg.exe Token: SeCreatePagefilePrivilege 440 powercfg.exe Token: SeShutdownPrivilege 1796 powercfg.exe Token: SeCreatePagefilePrivilege 1796 powercfg.exe Token: SeShutdownPrivilege 680 powercfg.exe Token: SeCreatePagefilePrivilege 680 powercfg.exe Token: SeShutdownPrivilege 4804 powercfg.exe Token: SeCreatePagefilePrivilege 4804 powercfg.exe Token: SeShutdownPrivilege 1600 powercfg.exe Token: SeCreatePagefilePrivilege 1600 powercfg.exe Token: SeShutdownPrivilege 2292 powercfg.exe Token: SeCreatePagefilePrivilege 2292 powercfg.exe Token: SeShutdownPrivilege 3548 powercfg.exe Token: SeCreatePagefilePrivilege 3548 powercfg.exe Token: SeShutdownPrivilege 1012 powercfg.exe Token: SeCreatePagefilePrivilege 1012 powercfg.exe Token: SeDebugPrivilege 3812 powershell.exe Token: SeShutdownPrivilege 5664 powercfg.exe Token: SeCreatePagefilePrivilege 5664 powercfg.exe Token: SeDebugPrivilege 2584 zion.exe Token: SeTakeOwnershipPrivilege 5152 takeown.exe Token: SeTakeOwnershipPrivilege 4208 takeown.exe Token: SeTakeOwnershipPrivilege 5684 takeown.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeIncreaseQuotaPrivilege 6052 OneDriveSetup.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exechrome.exepid process 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exechrome.exepid process 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
zion.exeSearchApp.exepid process 2584 zion.exe 2584 zion.exe 1232 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4056 wrote to memory of 3920 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 3920 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 4440 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 5012 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 5012 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe PID 4056 wrote to memory of 1684 4056 msedge.exe msedge.exe -
System policy modification 1 TTPs 27 IoCs
Processes:
zion.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLanguageFeaturesUninstall = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255" zion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLinguisticDataCollection = "0" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard = "1" zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices = "1" zion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar zion.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "1" zion.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66bbfe58&is=66baacd8&hm=23be3bc044a0addcacc2d93ae68130068dedb84c1c0c0d75f896135efb9d4b96&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b2b846f8,0x7ff9b2b84708,0x7ff9b2b847182⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5160 /prefetch:82⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6448 /prefetch:82⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,17550515906735399456,561076694406410635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:224
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4224
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4900
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2072
-
C:\Users\Admin\Downloads\zion.exe"C:\Users\Admin\Downloads\zion.exe"1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2584 -
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" /restoredefaultschemes2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -duplicatescheme 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 00000000-0000-0000-0000-0000000000002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setactive 00000000-0000-0000-0000-0000000000002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -changename 00000000-0000-0000-0000-000000000000 "ZION Tweaking"2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:716
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -hibernate off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 54533251-82be-4824-96c1-47b60b740d00 921becee-fb48-4e16-8c5c-9b8997d07bce 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 0cc5b647-c1df-4637-891a-dec35c318583 12bbebe6-58d6-4636-95bb-3217ef867c1a 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 5d76a2ca-e8c0-402f-a133-2158492d58ad 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 75b0ae3f-bce9-490a-80b1-aef3b9f7b8fe 5d76a2ca-e8c0-402f-a133-2158492d58ad 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 5ca83367-6e45-459f-a27b-476b1d01c936 8ba3d6a4-fe92-4783-84ef-5650e77f1ef6 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setactive 00000000-0000-0000-0000-0000000000002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setacvalueindex scheme_current sub_processor 5d76a2ca-e8c0-402f-a133-2158492d58ad 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setactive scheme_current2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:412
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f3⤵PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2104
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f3⤵PID:3624
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:3452
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f3⤵PID:3268
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:3056
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f3⤵PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4004
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f3⤵PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:1536
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f3⤵PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2812
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f3⤵PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4576
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f3⤵PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3640
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f2⤵
- System Location Discovery: System Language Discovery
PID:8 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f2⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:368
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3432
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1912
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f3⤵
- System Location Discovery: System Language Discovery
PID:4000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4596
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4204
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1012
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4504
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hyperkbd" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4508
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\hyperkbd" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hypervideo" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3524
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\hypervideo" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:5024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\gencounter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:728
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\gencounter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmgid" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4504
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vmgid" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:552
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\storflt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4812
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\storflt" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\bttflt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:368
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\bttflt" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vpci" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3116
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\vpci" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:552
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hvservice" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2520
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\hvservice" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hvcrash" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4788
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\hvcrash" /v "Start" /t REG_DWORD /d "4" /f3⤵
- System Location Discovery: System Language Discovery
PID:3664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4500
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C devmanview /disable "Remote Desktop Device Redirector Bus"2⤵PID:4824
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disable8dot3 1 >NUL 2>&12⤵PID:2676
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set disable8dot3 13⤵PID:3664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&12⤵PID:4320
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set disablelastaccess 13⤵PID:1412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior query memoryusage >NUL 2>&12⤵PID:3904
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior query memoryusage3⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set memoryusage 2 >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\fsutil.exefsutil behavior set memoryusage 23⤵PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set mftzone 4 >NUL 2>&12⤵PID:3664
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set mftzone 43⤵PID:3860
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&12⤵PID:1932
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set disablelastaccess 13⤵PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disabledeletenotify 0 >NUL 2>&12⤵PID:4860
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set disabledeletenotify 03⤵PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set encryptpagingfile 0 >NUL 2>&12⤵PID:3860
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set encryptpagingfile 03⤵PID:652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f > NUL 2>&12⤵PID:4984
-
C:\Windows\SysWOW64\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f3⤵PID:4536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f3⤵PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:2392
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f3⤵PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:1044
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f3⤵PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f >NUL 2>&12⤵PID:4520
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f >NUL 2>&12⤵PID:4188
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f3⤵PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f >NUL 2>&12⤵PID:4568
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f3⤵PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"2⤵PID:2092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y "3⤵PID:4092
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"3⤵
- System Location Discovery: System Language Discovery
PID:3548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:652
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f3⤵PID:3760
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Themes" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:4000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\AcpiDev" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\CAD" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:1344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\CldFlt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:1300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\FileCrypt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:8
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\PptpMiniport" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RapiMgr" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:4204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RasAgileVpn" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Rasl2tp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:1456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RasSstp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:5024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wanarp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:2392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\wanarpv6" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:2652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wdnsfltr" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:3056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WcesComm" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:4984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wcifs" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:2912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wcnfs" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:4520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WindowsTrustedRT" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:4504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WindowsTrustedRTProxy" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&12⤵PID:1496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:1296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:4004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:2016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:1012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:2676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\HidUsb\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:3640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:2140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\mouhid\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:1044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbccgp\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:1300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbehci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:4788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbhub\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:2868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:4324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbohci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:4536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbuhci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:4020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:3624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:4360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&12⤵PID:4000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:4320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:1664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\disk\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:3860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\iaStorAC\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:2092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\iaStorAVC\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:3664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Ntfs\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:1600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\storahci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\stornvme\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:2288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v "MagnetismUpdateIntervalInMilliseconds" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:2572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorUpdateInterval" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:3024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AlpcWakePolicy" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:3268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:1412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v ContentEvaluation /t REG_DWORD /d "0" /f > NUL 2>&12⤵PID:3484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:5072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ShowStatus" /t REG_DWORD /d "3" /f >NUL 2>&12⤵PID:4508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ExtraIconsOnMinimized" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:1344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Transparency" /t REG_DWORD /d "255" /f >NUL 2>&12⤵PID:1528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Label" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:2956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\HighContrast" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&12⤵PID:1092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&12⤵PID:4412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&12⤵PID:4576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\SoundSentry" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&12⤵PID:412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&12⤵PID:8
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\TimeOut" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&12⤵PID:1796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&12⤵PID:3760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneShowAllFolders" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f >NUL 2>&12⤵PID:232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" DELETE "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f >NUL 2>&12⤵PID:3452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d "00000000" /f >NUL 2>&12⤵PID:3432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "186" /f >NUL 2>&12⤵PID:5152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f >NUL 2>&12⤵PID:5200
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f >NUL 2>&12⤵PID:5248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d "2" /f >NUL 2>&12⤵PID:5304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Language Hotkey" /t REG_SZ /d "3" /f >NUL 2>&12⤵PID:5372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Hotkey" /t REG_SZ /d "3" /f >NUL 2>&12⤵PID:5440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Layout Hotkey" /t REG_SZ /d "3" /f >NUL 2>&12⤵PID:5504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:5552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\AppEvents\Schemes" /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DelayedDesktopSwitchTimeout" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:5648
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCANetwork" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:5696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCANetwork" /f >NUL 2>&12⤵PID:5744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_LargeMFUIcons" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:5792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:5840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "2" /f >NUL 2>&12⤵PID:5888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\Gwx" /v "DisableGwx" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:5936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:5984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:6024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:6064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Peernet" /v "Disabled" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:6116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Internet Explorer\Main" /v "DEPOff" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:5148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:5184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseActionCenterExperience" /t REG_DWORD /d "0" /f > NUL 2>&12⤵PID:4500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f > NUL 2>&12⤵PID:5280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices" /v "TCGSecurityActivationDisabled" /t REG_DWORD /d "0" /f > NUL 2>&12⤵PID:5272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f > NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f > NUL 2>&12⤵PID:5364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d "0" /f > NUL 2>&12⤵PID:5356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f > NUL 2>&12⤵PID:5392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f > NUL 2>&12⤵PID:5496
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /deletevalue useplatformclock2⤵PID:5580
-
C:\Windows\system32\bcdedit.exebcdedit.exe /deletevalue useplatformclock3⤵
- Modifies boot configuration data using bcdedit
PID:5780
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set useplatformtick yes2⤵PID:5564
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set useplatformtick yes3⤵
- Modifies boot configuration data using bcdedit
PID:5864
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set disabledynamictick yes2⤵PID:5656
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set disabledynamictick yes3⤵
- Modifies boot configuration data using bcdedit
PID:5952
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set tscsyncpolicy Enhanced2⤵PID:5660
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set tscsyncpolicy Enhanced3⤵
- Modifies boot configuration data using bcdedit
PID:6108
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootdebug No2⤵PID:5748
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set bootdebug No3⤵
- Modifies boot configuration data using bcdedit
PID:6036
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootlog No2⤵PID:5820
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set bootlog No3⤵
- Modifies boot configuration data using bcdedit
PID:6132
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootux disabled2⤵PID:5852
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set bootux disabled3⤵
- Modifies boot configuration data using bcdedit
PID:5140
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set debug No2⤵PID:5932
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set debug No3⤵
- Modifies boot configuration data using bcdedit
PID:5160
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set disableelamdrivers Yes2⤵PID:5908
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set disableelamdrivers Yes3⤵
- Modifies boot configuration data using bcdedit
PID:4092
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off2⤵PID:6004
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:5144
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set integrityservices disable2⤵PID:5168
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set integrityservices disable3⤵
- Modifies boot configuration data using bcdedit
PID:5424
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set quietboot yes2⤵PID:4460
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set quietboot yes3⤵
- Modifies boot configuration data using bcdedit
PID:5288
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set tpmbootentropy ForceDisable2⤵PID:5124
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set tpmbootentropy ForceDisable3⤵
- Modifies boot configuration data using bcdedit
PID:5484
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /timeout 32⤵PID:5344
-
C:\Windows\system32\bcdedit.exebcdedit.exe /timeout 33⤵
- Modifies boot configuration data using bcdedit
PID:5540
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000067 true2⤵PID:5436
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {globalsettings} custom:16000067 true3⤵
- Modifies boot configuration data using bcdedit
PID:5384
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000069 true2⤵PID:5236
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {globalsettings} custom:16000069 true3⤵
- Modifies boot configuration data using bcdedit
PID:5476
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000068 true2⤵PID:5468
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {globalsettings} custom:16000068 true3⤵
- Modifies boot configuration data using bcdedit
PID:5556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disable8dot3 1 >NUL 2>&12⤵PID:1300
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set disable8dot3 13⤵PID:540
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5280 -
C:\Windows\SysWOW64\fsutil.exefsutil behavior set disablelastaccess 13⤵PID:5504
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior query memoryusage >NUL 2>&12⤵PID:552
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior query memoryusage3⤵PID:5840
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set memoryusage 2 >NUL 2>&12⤵PID:5372
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set memoryusage 23⤵PID:4000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set mftzone 4 >NUL 2>&12⤵PID:4204
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set mftzone 43⤵PID:5200
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&12⤵PID:2392
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set disablelastaccess 13⤵PID:5700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disabledeletenotify 0 >NUL 2>&12⤵PID:5924
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set disabledeletenotify 03⤵PID:5604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set encryptpagingfile 0 >NUL 2>&12⤵PID:5668
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set encryptpagingfile 03⤵PID:5848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f > NUL 2>&12⤵PID:5824
-
C:\Windows\SysWOW64\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f3⤵
- System Location Discovery: System Language Discovery
PID:6132
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&12⤵PID:6020
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
PID:5164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f3⤵PID:5404
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:5196
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f3⤵PID:6104
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f >NUL 2>&12⤵PID:6112
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f3⤵PID:5916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5244 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f3⤵PID:5284
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f >NUL 2>&12⤵PID:5432
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f3⤵
- System Location Discovery: System Language Discovery
PID:5396
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"2⤵
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y "3⤵PID:5452
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"3⤵PID:5516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f >NUL 2>&12⤵PID:5316
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off2⤵PID:5420
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:5520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C FOR /F %%a in ('WMIC PATH Win32_USBHub GET DeviceID^| FINDSTR /L "VID_"') DO ( REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "EnhancedPowerManagementEnabled" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "AllowIdleIrpInD3" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D1Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D2Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D3Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "DeviceSelectiveSuspended" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "SelectiveSuspendEnabled" /T REG_DWORD /d 0 >NUL 2>&1 ECHO Disabling USB idling for %%a )2⤵PID:5508
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C FOR /F "tokens=*" %%a in ('REG QUERY "HKLM\SYSTEM\CurrentControlSet\Enum" /S /F "StorPort"^| FINDSTR /E "StorPort"') DO ( REG ADD "%%a" /F /V "EnableIdlePowerManagement" /T REG_DWORD /d 0 >NUL 2>&1 FOR /F "tokens=*" %%z IN ("%%a") DO ( SET STR=%%z SET STR=!STR:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\=! SET STR=!STR:\Device Parameters\StorPort=! ECHO Disabling StorPort Idling for !STR! ) )2⤵PID:3056
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off2⤵PID:5600
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:5308
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubDelay" /t REG_DWORD /d "0" /f2⤵PID:972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubInterval" /t REG_DWORD /d "0" /f2⤵PID:5392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "18" /f2⤵PID:5792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubThreshold" /t REG_DWORD /d "0" /f2⤵PID:412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubType" /t REG_DWORD /d "2" /f2⤵PID:4360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValue" /t REG_DWORD /d "100" /f2⤵PID:5736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMaximum" /t REG_DWORD /d "100" /f2⤵PID:5944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMinimum" /t REG_DWORD /d "100" /f2⤵PID:5952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueStep" /t REG_DWORD /d "0" /f2⤵PID:5620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefault" /t REG_DWORD /d "0" /f2⤵PID:5964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCurrent" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
PID:6052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuePrevious" /t REG_DWORD /d "0" /f2⤵PID:5900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNext" /t REG_DWORD /d "0" /f2⤵PID:3904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueLast" /t REG_DWORD /d "0" /f2⤵PID:1536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueFirst" /t REG_DWORD /d "0" /f2⤵PID:6072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCount" /t REG_DWORD /d "100" /f2⤵PID:5240
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueIndex" /t REG_DWORD /d "42" /f2⤵PID:5268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueName" /t REG_DWORD /d "0" /f2⤵PID:4568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDescription" /t REG_DWORD /d "0" /f2⤵PID:5384
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabled" /t REG_DWORD /d "0" /f2⤵PID:5208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "1" /f2⤵PID:5428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueVisible" /t REG_DWORD /d "1" /f2⤵PID:5244
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueHidden" /t REG_DWORD /d "0" /f2⤵PID:5924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadOnly" /t REG_DWORD /d "0" /f2⤵PID:1556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadnv11" /t REG_DWORD /d "0" /f2⤵PID:2876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuenv11Only" /t REG_DWORD /d "0" /f2⤵PID:4628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueExecute" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNoExecute" /t REG_DWORD /d "0" /f2⤵PID:5584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueSystem" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
PID:5168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueUser" /t REG_DWORD /d "0" /f2⤵PID:4928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "100" /f2⤵PID:4788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "0" /f2⤵PID:1412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "0" /f2⤵PID:3088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCustom" /t REG_DWORD /d "0" /f2⤵PID:2888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAuto" /t REG_DWORD /d "1" /f2⤵PID:1496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueManual" /t REG_DWORD /d "0" /f2⤵PID:3608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAutomatic" /t REG_DWORD /d "1" /f2⤵PID:5888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabledByDefault" /t REG_DWORD /d "1" /f2⤵PID:6064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabledByDefault" /t REG_DWORD /d "0" /f2⤵PID:6024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f2⤵PID:5356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f2⤵PID:5664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f2⤵PID:5800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f2⤵PID:5884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:5692
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f3⤵PID:6128
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:5912
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
PID:5404
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5860 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f3⤵PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f3⤵PID:5956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f >NUL 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f3⤵PID:5252
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:5548
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f3⤵PID:5300
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:5180
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f3⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:5352
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f3⤵PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:380
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f3⤵PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:3700
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f3⤵PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:820
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f3⤵PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:1472
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f3⤵PID:5412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:4356
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f3⤵PID:5852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:2336
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f3⤵PID:5152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:5648
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f3⤵PID:540
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&12⤵PID:2796
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f3⤵PID:2268
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f2⤵PID:1456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:2948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:3996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:4520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:5732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:1092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:5708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f2⤵PID:1528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f2⤵PID:5788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f2⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f2⤵PID:5392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f2⤵PID:5428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:5584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:4360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:1536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:5904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:6036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:5752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f2⤵PID:5804
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f2⤵PID:5216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f2⤵PID:5156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f2⤵PID:5220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f2⤵PID:5444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f2⤵PID:5516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f2⤵PID:5460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
PID:5260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f2⤵PID:1920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f2⤵PID:2548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f2⤵PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f2⤵PID:5436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f2⤵PID:5576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f2⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f2⤵PID:2476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
PID:5936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f2⤵PID:5552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f2⤵
- Power Settings
PID:6116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f2⤵
- Power Settings
PID:5352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f2⤵PID:5304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f2⤵PID:2956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f2⤵PID:5440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f2⤵
- System Location Discovery: System Language Discovery
PID:5812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:6012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:5872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:5892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:5836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:5644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:5168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f2⤵PID:5952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f2⤵PID:1596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f2⤵PID:6032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f2⤵PID:6076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f2⤵PID:5252
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f2⤵PID:6056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f2⤵PID:5340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f2⤵PID:5596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f2⤵PID:5224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f2⤵PID:2884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
PID:5212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f2⤵PID:5976
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PortThreadPriority" /t REG_DWORD /d "00000001" /f >nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PortThreadPriority" /t REG_DWORD /d "00000001" /f3⤵PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PriorityClass" /t REG_DWORD /d "00000001" /f >nul 2>&12⤵PID:5280
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PriorityClass" /t REG_DWORD /d "00000001" /f3⤵PID:5520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit -set disabledynamictick yes2⤵PID:1852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit -set useplatformtick yes2⤵PID:5908
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 437 > nul2⤵PID:5820
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵PID:548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C PowerShell "ForEach($v in (Get-Command -Name 'Set-ProcessMitigation').Parameters['Disable'].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"2⤵PID:4200
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell "ForEach($v in (Get-Command -Name 'Set-ProcessMitigation').Parameters['Disable'].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f2⤵PID:5572
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f3⤵PID:5604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:5364
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f3⤵PID:5200
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:5244
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
PID:5736
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:5928
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f3⤵PID:4928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:5356
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f3⤵PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:972
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f3⤵PID:5844
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:5980
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f3⤵PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f2⤵PID:5192
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f3⤵PID:4596
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f2⤵PID:5128
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f3⤵PID:4860
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f2⤵PID:400
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f3⤵PID:5332
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f2⤵
- System Location Discovery: System Language Discovery
PID:6112 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f3⤵PID:4100
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f2⤵PID:512
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f3⤵PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:1608
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f3⤵PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:5436
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f3⤵PID:5340
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:5644
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f3⤵PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:5892
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f3⤵PID:5516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:3928
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f3⤵PID:6020
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:5500
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f3⤵PID:5512
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f2⤵
- System Location Discovery: System Language Discovery
PID:5616 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f3⤵PID:5580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f3⤵PID:3484
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f2⤵PID:3836
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f3⤵PID:5180
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f2⤵PID:2940
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f3⤵PID:4324
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f2⤵PID:5600
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
PID:3664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f2⤵PID:5248
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f3⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f2⤵PID:5860
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f3⤵PID:3592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f2⤵PID:4008
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f3⤵PID:5968
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f2⤵PID:5920
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f3⤵PID:5728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f2⤵PID:5688
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f3⤵PID:5960
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f2⤵PID:6132
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f3⤵PID:4628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f2⤵PID:4824
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f3⤵PID:6052
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f2⤵PID:6028
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f3⤵
- System Location Discovery: System Language Discovery
PID:452
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f2⤵PID:5164
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f3⤵PID:5136
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f2⤵PID:4596
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f3⤵PID:5188
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f2⤵PID:2404
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f3⤵PID:5432
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f2⤵
- Power Settings
PID:4188 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f3⤵
- Power Settings
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f2⤵PID:5536
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f3⤵PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f2⤵PID:2720
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f3⤵
- System Location Discovery: System Language Discovery
PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f2⤵PID:2344
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f3⤵PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f2⤵
- System Location Discovery: System Language Discovery
PID:6012 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f3⤵PID:6056
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:5836
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
PID:6116
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:5428
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f3⤵PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:5032
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f3⤵PID:5852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f2⤵PID:5412
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f3⤵PID:3432
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f3⤵PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f2⤵PID:5024
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
PID:5692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f > nul 2>&12⤵PID:2912
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f3⤵PID:4500
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&12⤵PID:3664
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&12⤵PID:5072
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f3⤵PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f3⤵PID:5968
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:1704
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f3⤵PID:4536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f > nul 2>&12⤵PID:5612
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f3⤵PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&12⤵PID:5876
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f3⤵PID:5800
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f3⤵PID:5240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f3⤵PID:6080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&12⤵PID:5948
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f3⤵PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&12⤵PID:6120
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f3⤵PID:6104
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:4812
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f3⤵PID:5276
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f > nul 2>&12⤵PID:5452
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f3⤵PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&12⤵PID:5176
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f3⤵PID:512
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&12⤵PID:6112
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f3⤵PID:5500
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&12⤵PID:3928
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f3⤵PID:5244
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f3⤵PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:5488
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f3⤵PID:5340
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f3⤵PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:5596
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f3⤵PID:5196
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:5936
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f3⤵PID:6020
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&12⤵PID:1440
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f3⤵PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&12⤵PID:4396
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f3⤵PID:3096
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f3⤵PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&12⤵PID:3056
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f3⤵PID:4776
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&12⤵PID:1128
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f3⤵PID:3848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:4576
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f3⤵PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f > nul 2>&12⤵PID:3760
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f3⤵PID:4208
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&12⤵PID:3700
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f3⤵PID:5656
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&12⤵PID:5728
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f3⤵PID:5888
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&12⤵PID:5964
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f3⤵PID:6048
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&12⤵PID:4628
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f3⤵PID:5240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f > nul 2>&12⤵PID:4568
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f3⤵PID:5808
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&12⤵PID:5832
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f3⤵PID:5792
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:2260
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f3⤵PID:5856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f > nul 2>&12⤵PID:5532
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f3⤵PID:6068
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f3⤵PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&12⤵PID:4188
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f3⤵PID:5500
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&12⤵PID:5436
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f3⤵PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&12⤵PID:5444
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f3⤵PID:6076
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&12⤵PID:5732
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f3⤵PID:5708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:5352
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f3⤵PID:5516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f > nul 2>&12⤵PID:6116
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f3⤵PID:6020
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&12⤵
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f3⤵PID:5556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&12⤵PID:5376
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f3⤵PID:5580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&12⤵PID:5932
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f3⤵PID:4704
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&12⤵PID:3812
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f3⤵PID:3484
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&12⤵PID:1796
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f3⤵PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:3848
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f3⤵
- System Location Discovery: System Language Discovery
PID:4716
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f > nul 2>&12⤵PID:3592
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f3⤵PID:5184
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&12⤵PID:5968
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f3⤵PID:5712
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&12⤵PID:6016
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f3⤵PID:5628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&12⤵PID:5604
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f3⤵PID:5776
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&12⤵PID:4092
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f3⤵PID:6060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&12⤵PID:5640
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f3⤵PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&12⤵PID:5292
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f3⤵
- System Location Discovery: System Language Discovery
PID:6088
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f > nul 2>&12⤵PID:5284
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f3⤵PID:5228
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&12⤵PID:5328
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f3⤵PID:1336
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f > nul 2>&12⤵PID:3408
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootux disabled2⤵PID:5904
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set bootux disabled3⤵
- Modifies boot configuration data using bcdedit
PID:5952
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵PID:5748
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5344
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵PID:2676
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3640
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵PID:4592
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵PID:652
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵PID:4356
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵PID:5700
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5864
-
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe" -setacvalueindex scheme_current sub_processor THROTTLING 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5664
-
-
C:\Users\Admin\AppData\Roaming\zion\nvidiaProfileInspector.exe"C:\Users\Admin\AppData\Roaming\zion\nvidiaProfileInspector.exe" "C:\Users\Admin\AppData\Roaming\zion\zion.nip"2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}" /f2⤵PID:4928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{56CA197F-543C-40DC-953C-B9C6196C92A5}" /f2⤵PID:2104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0948A341-8E1E-479F-A667-6169E4D5CB2A}" /f2⤵PID:3928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0948A341-8E1E-479F-A667-6169E4D5CB2A}" /f2⤵PID:4568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{56CA197F-543C-40DC-953C-B9C6196C92A5}" /f2⤵PID:3592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BraveSoftwareUpdateTaskMachineCore" /f2⤵PID:3612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BraveSoftwareUpdateTaskMachineUA" /f2⤵PID:5328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SystemApps" /A & ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)2⤵PID:1456
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\Windows\SystemApps" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2548
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\ProgramData\Packages" /A & ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)2⤵PID:5544
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\ProgramData\Packages" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4352
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A & ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)2⤵PID:2360
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3960
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files\WindowsApps" /A & ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)2⤵PID:4868
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\Program Files\WindowsApps" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5152
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5608
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A & ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)2⤵PID:1644
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\Program Files (x86)\Microsoft" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3572
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5744
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A & ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)2⤵PID:5336
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows" /A & ICACLS "C:\Windows" /GRANT Administrators:(F)2⤵PID:2596
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\Windows" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Windows" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\System32" /A & ICACLS "C:\Windows\System32" /GRANT Administrators:(F)2⤵
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\Windows\System32" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5684
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Windows\System32" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SysWOW64" /A & ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)2⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F "C:\Windows\SysWOW64" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3944
-
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5160
-
-
-
C:\Windows\SysWOW64\OneDriveSetup.exe"C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6052 -
C:\Windows\SysWOW64\OneDriveSetup.exe"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-1194130065-3471212556-1656947724-10003⤵PID:3056
-
-
C:\Windows\SysWOW64\OneDriveSetup.exeC:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV23⤵
- Modifies system executable filetype association
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5352 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3328
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\helpPane.exe"2⤵PID:2704
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\backgroundtaskhost.exe"2⤵PID:5932
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\EaseOfAccessDialog.exe"2⤵PID:4632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\RuntimeBroker.exe"2⤵PID:5936
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSClient.dll"2⤵PID:5820
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSCollect.exe"2⤵PID:4180
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamebarpresencewriter.exe"2⤵PID:4076
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamepanel.exe"2⤵PID:3096
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\magnify.exe"2⤵PID:6020
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mblctr.exe"2⤵PID:2140
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\sdiagnhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3932
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mobsync.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5316
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\msdt.exe"2⤵PID:1912
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\narrator.exe"2⤵PID:5744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\osk.exe"2⤵PID:3052
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\smartscreen.exe"2⤵PID:1744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\backgroundtaskhost.exe"2⤵PID:4100
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\EaseOfAccessDialog.exe"2⤵PID:5072
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\WSClient.dll"2⤵PID:2152
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamebarpresencewriter.exe"2⤵PID:3652
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamepanel.exe"2⤵PID:2736
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\magnify.exe"2⤵PID:2768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\mobsync.exe"2⤵PID:6060
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerCPLApp.cpl"2⤵PID:512
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerApp.exe"2⤵PID:3760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Windows\SystemApps"2⤵
- Drops file in Windows directory
PID:3664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\Packages"2⤵
- System Location Discovery: System Language Discovery
PID:5328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Packages"2⤵PID:972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files\WindowsApps"2⤵
- Drops file in Program Files directory
PID:5584
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files (x86)\Microsoft"2⤵PID:4000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps"2⤵PID:4840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9b2b7cc40,0x7ff9b2b7cc4c,0x7ff9b2b7cc582⤵PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1964 /prefetch:22⤵PID:4624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1952 /prefetch:32⤵PID:4428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1744,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2412 /prefetch:82⤵PID:3752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:2592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:2840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4344,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:5616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4892 /prefetch:82⤵PID:5212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5112 /prefetch:82⤵PID:4116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5396,i,7894896230260082815,1887609408921854290,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:116
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2012
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5516
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy1⤵PID:2044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:5188
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1232
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:4060
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5612
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3408 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b2b7cc40,0x7ff9b2b7cc4c,0x7ff9b2b7cc582⤵PID:2940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,8656790580237659824,4964800369518590643,262144 --variations-seed-version=20240812-180139.675000 --mojo-platform-channel-handle=1980 /prefetch:22⤵PID:2236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,8656790580237659824,4964800369518590643,262144 --variations-seed-version=20240812-180139.675000 --mojo-platform-channel-handle=2088 /prefetch:32⤵PID:1952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,8656790580237659824,4964800369518590643,262144 --variations-seed-version=20240812-180139.675000 --mojo-platform-channel-handle=2468 /prefetch:82⤵PID:1808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,8656790580237659824,4964800369518590643,262144 --variations-seed-version=20240812-180139.675000 --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:1472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,8656790580237659824,4964800369518590643,262144 --variations-seed-version=20240812-180139.675000 --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:2336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,8656790580237659824,4964800369518590643,262144 --variations-seed-version=20240812-180139.675000 --mojo-platform-channel-handle=4556 /prefetch:12⤵PID:6020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4440,i,8656790580237659824,4964800369518590643,262144 --variations-seed-version=20240812-180139.675000 --mojo-platform-channel-handle=4452 /prefetch:82⤵PID:2972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,8656790580237659824,4964800369518590643,262144 --variations-seed-version=20240812-180139.675000 --mojo-platform-channel-handle=5084 /prefetch:82⤵PID:5336
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3432
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5d5a6c164ef2e217742c7e0239cb87e70
SHA16345a0950b6cb7840078a7ff9d1ac1d083abb9e1
SHA256eac4f7605570aec093c5982242a6e83752fce2aefbcd9466f88cd82079acf9d1
SHA512265888b2feb31a47f1e811bbb996071c7e38c7070966067c6b66b0c120e5d7d6ac0aef75ec37ed14a5fdd6c64367f65133cc24f87db909aad8592281f8ca5386
-
Filesize
40B
MD5eb942bdb6305f3315f94ae3c05f48dbb
SHA17674299d7f21d68d74ebbcb1de993f2c99ea6a1a
SHA256e306a68470836c921619dbbd8ec7c697a25625402fc95add71250d41231787dc
SHA5121509991d75b19506b3c4fbee4b75b5caee8e5f1ec7c810d4cbe21ef9ffc32b472851c25da616fcf8cdd9a4b4e57bc5625eafa3d1803f2e41c888d449a2972c4e
-
Filesize
649B
MD5857302f7abc6d90e2e0d0e8f4651093a
SHA1ea4bef74afb86e24137889f61c2c1a69b74bb16a
SHA256ca86d87b87aed053f333b0c282e06a4d5986a93d454a740a35ed18f645881d89
SHA512e340990848366cec2bcdf99d29efa240645deb6f367bc4dd6f28e546cc6055fc529f1134e99de4281e22a84d3f1c5ccec32cf6be479fefbbf11937d4c80385a0
-
Filesize
44KB
MD5d71cceaa7b72e079f1822b2d02394891
SHA110b265c6ae0dfc0473cdba17680081cd361e20e5
SHA256018bf4171631468fe174f8c1981d3b0e0b26b60cd34be2269ffa1e53b18605d7
SHA512c16bc45576d4493ae33f317bef8b6d5ae9924a320440b32d14a9e2f8b509d04b68d691378146e2edd8ed1c003479fa992a06c6d3c3bbaf08fcf8e797f16462cf
-
Filesize
264KB
MD5a1bd48b45b7af313ea0a591a7b2e0032
SHA16aa24ec7499ee956a99e0a30caffaa98f3567bd4
SHA25670a18fab94a59a3802c63011235ac5d0118421eeefd41c40b78b904bc5c65a13
SHA51244a03f97fe3f7e85ca8e4583b21d10e99a31ea683c5e4edaeca0c55f1286522818e5f7fcecaecf8c9965f9d826f215504f89a5ad10ea0f422e9a2fe98e8497b1
-
Filesize
1.0MB
MD555c1dd8240457c56907255cd086a7bf3
SHA14cec7f24361ac554e8a521bb3b067973c68986f0
SHA256f290f03028d8897ed18c6bcf59699a8d682706ffdcb617c10697872e7282c617
SHA5129c2470a458b8ddd2e04a0ff0626e47dcd1baf3212538f5dcc4d7640d04707fc29f5e9ac91db5bb6622a5c50138930e3a80cfcb3cbd82a703232b603de61eedd1
-
Filesize
4.0MB
MD534577b2fb856867e63eb395c45cea427
SHA19bd177911f09b8c7d865b05b69a14c6e8fca0f30
SHA256b0e193d64c2e248c45f90e0ae92e15bbe7e3dee8b256cb3054b3ef02f45b38b3
SHA512cceb66cdfd5ecf8839eb88d1efd5a2b8e5d7d4fb5688c32357587192dac32da67a76fa6222201fd380df3dcc07b19557bf3a5b85468486eabbe06091d14c8abe
-
Filesize
210KB
MD548d2860dd3168b6f06a4f27c6791bcaa
SHA1f5f803efed91cd45a36c3d6acdffaaf0e863bf8c
SHA25604d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77
SHA512172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e
-
Filesize
24KB
MD5c594a826934b9505d591d0f7a7df80b7
SHA1c04b8637e686f71f3fc46a29a86346ba9b04ae18
SHA256e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610
SHA51204a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961
-
Filesize
54KB
MD5fc18c3a894ee509b13291f40593147d0
SHA175b21269240c406bc6000355e7018620ef086895
SHA256fb351c2b8e0d6205fafddb853102e5abad986bde83e0064559a57e2e4c30fca3
SHA5128092305b939c8bd74a07f4798ec93666f76bf0314f016824d7b390d6897f8e2b3282b1f36718bd7941048389f56b23e3cb1490b810c40a872b0410a66a42510b
-
Filesize
47KB
MD503987f29fc1108559ea7f6c7098b79ad
SHA134aab5a9f84e8a82c52db162bb33d024f036de19
SHA256b73edaf06bfb912605f3a66bb0a935d25ea7a01a2b14e3cacc7401712cc4b626
SHA512307c1bdf61213442810c0bb0ed50ca9daddd09ab8e3f252759d90a685ffbfffaca45cc838c54b84cf81e4be6dcb258bfa570b2d6acc3232ad955d2058db2a482
-
Filesize
22KB
MD5b45e293f0de7017e97e0c2aada053df1
SHA166a449b870f5ff341af0d2798ade3c7c881ebdea
SHA2563d9e978a70ad8ce04730c305ee1000f41402e28f8757d84eabe5c59507539587
SHA51276773faccf523258bb5438ec59bae36750e5b859501ce8e8ff19874e49eee4d4cff1e9814311c70c6d8806dce3422689932b74f7976dcccadd77648f1efbc3b6
-
Filesize
48KB
MD514b182c6b7e4279e5f0a11ef00390037
SHA1a6f6c89c66ff4b09294b74f75c1286e0cc7d8ca7
SHA256d515b11ff748f0b9505af87dde3db2018a56ef4d8072f28ab43bc63c9ffdb3b5
SHA512cdd24e1fe2b8a63ac0d93047f3dad7dda198fdc8b3e12321379682be31d68a6f9e112d47fd26af7b6f710680e4a0fd6e3eebaf4eef0f2082d367e2da6b0687ec
-
Filesize
54KB
MD5d434b23783b5f93f10319259356afea4
SHA194a83e86e9c669d07f2ed8447df369ba5c50b8ed
SHA2567add49fca78b4795e8c8e39689414c9348355a715e6b17b3b077d860ff6c6d2f
SHA51256d40871c723d0db5032b0d81dc533280af28a84323380ff4e66040e230c98f0afe42dc0af59744fc6da5d68fbba036c1862cfc2aafa44188ab2a4213e061be4
-
Filesize
34KB
MD5f8b71cf251fa915099cc57d492a225c2
SHA13eb854e0217168899e8c4ede30f262eb0fa34593
SHA256fe08a891a6762bb60583f3f11c502c032563ab83e185f06b51702bd249e9c707
SHA5129bf0362103fa2b4af30f57424038f3d9aba2388c25f5772fe1ae10f3daa909babd9b0365426f4f09a009939ae996f9d1b14bfd9142b8166985687f9c738c49bc
-
Filesize
38KB
MD5e07a5ff72f9cdbcd5dcf1f92b303fbc1
SHA106c8dcd7d28be75fe91c29ed009412451b96317e
SHA2565df42d386bb336ac7a991cd29a207b92f34ef9de2d44d41e3a441970e408134e
SHA5123de3e192f0b529b3a4320bab1b4d7c1fd5bf9e32cc7b150e4ed3b21744904766926ea06a96b5584d92b27ee9a1cb0c4d5d61bdfdacc612bf39ff06ee11ea34be
-
Filesize
59KB
MD5459c74b5d6fb993a8573c23ee3ded1f9
SHA1907db6566530a7b9d780abb54babcf9d13299ef5
SHA256cc85b031dc4db22e303ae4253b4d7ca50527e40b630c1ce22428ad8e6cdfc473
SHA512380117b785483503fe948a7760d59cee5443b0cbccbd726c0aaf8a695c90976407c09058dd831d21918df070164e5e15c7f963533a9089f4d7bd4302b074eee4
-
Filesize
24KB
MD5700b9e1bc64e4c4d024a2812ff24a6e2
SHA1d4e5b20bb45593ccad19a2993175f07987151377
SHA256e15cd79725ebbd71746f055150df00c2797e4ff29ebce99485d2c8f121c2c63c
SHA512f4eee0aa2939464fc10534d7ebaed5ce607fc7ed20839dbe5398644656fcc6324a6d5f3da13fdf16ac3115d6d4b322766ae2d7e6946ce07dbf53ffe5bc983b6b
-
Filesize
34KB
MD5ce266f9b55889c746fe355da64c32d34
SHA1973b3d6f4a7139fb4539b9e47cf2bb111d8ebd93
SHA25662c4236e0e35306737c6b21d260c0e22c339c40ef574af5e78a422ca7f331baa
SHA5127ff0140ae69622241f2f92823a638b3bdf18e77087c80d5a1ee958196dfdf56c128e310a12ecd09ff7b3330f42434ae597311c007c6d08b684e3f3aa5d88e35a
-
Filesize
37KB
MD52e349c9c2848067f29fc05455778383e
SHA1d0cbb44a5abac29f7bc2c3e2aa74bb19f5150861
SHA256270a2c1fff59cc136bf1860d474638f5ffc56a95c230510fdda583f132a295cf
SHA512dbbc81d9f94e39e2b70623b3e0c84e217bb776e45873d8ad223a6c79564e71b6be03a42461db1c851c2f90ed85efbd17434c0620fcbc3c471bb80d7c61ede6e8
-
Filesize
24KB
MD5717bdcc2d8e3d1142003810c844ce397
SHA19ba6c5a76e87fc29632014ab00150a8ca62f729e
SHA2564efb18c9eaac25bd04eef7128599f0a7832eaf0e0abfb394e278851d3fe40af1
SHA512e43f47fdd36e3ad378f91f969cb591e07fa0e711541b4eae1a41a0c9277fcd9bff188d65cefbf87f68ec569deeab0116a4e43bbc4685d846bb1a9f970318b41f
-
Filesize
41KB
MD57b0c919be0590da19c0293ce154d7796
SHA16a73edf4e6d3de7a88bb5563ce1c1f948680bdee
SHA256bcb8a6280b0c453d988e719b7e4e431cca6b4df6538f9a11067a8f11fd93a771
SHA5121d8085d17767d05649873695b9a7cbeff93d2a50b41ab2e4b6c98469a35664d343a8651349ee5836acb4900a2c84318098fdd58b8f369a8316826fb3eeb3a99f
-
Filesize
38KB
MD5dff62a9ddeb1e187d52e30a85ae13dc1
SHA19f7c0233d39733108808f3b1ab388e3df87da66d
SHA256290f04addf487582e4eb8f2fe71ad29aaed893e4e53e04ef2ebf5cca956029e8
SHA512cda24f6c1ded5d6626fdc3567ab767884d7685de0dc966acac81aeebed2d0187bf04f288958b6c81d58478918b15be2a4e510613ad6857a0afa9aba40525e3f3
-
Filesize
49KB
MD5de9d0fd3163e0592e0f8f8984f7a04ec
SHA18d2bc85900f15bfe0587a5e81ebd8c15e1302f01
SHA256c02da7c56374020f40f087f3c83a13ccc1acbf03a18829ce7abaa0947d12109e
SHA51205a1ca31cc9300d77ec2f23f15b4617f5efe6d0c228871e212a234374ba981ee8086ef2519b3a6aefa3443827068aa9a8b40e3e91ac7cffc3e48034d7a742958
-
Filesize
26KB
MD56ef62dd094dacb5895c5f9ef5bff8674
SHA1cfbc2d92b4fa970f839e1f22b703bf2551597ef7
SHA256da4fb363f6f0b63a27cfacc4529e254faf79c9bfab24d47833f6bc546156011a
SHA5127fb5123ba46b683f85342de523cddcee748a884193e222004dfe882067da40adb907760ddf5fd7f10c7ad5c6309cb49350e03ab59254d0d3632a7adeb972f2c3
-
Filesize
20KB
MD54b90b50f4c6ae8991187fd0924cf0dbe
SHA1324870685a73cd56fca994d1eada8b49f444730f
SHA256bc0938cc9cd42f79ba98dde8a27219bee02f5a4462cf85ce431ccfe03d88d14d
SHA512c1aa59f31b2a7593a981659f2cdecdd5ee10842399cb536be48af7d484ac6670d53b9c92406c3a6a4355764919c8cf63853af46fbf4fe46f51b5cf64d25ae26c
-
Filesize
19KB
MD5b1594b7343b6ae4ee46355175b59aab5
SHA1ce2bd811f6a3b8e3f6dcde81d5b1f2c6c04a3c40
SHA256a9ca2f3eb1ccd46404744fdc9a79ecc2c36f8456a3e5313cf6f77035fd348bde
SHA512e79c9d1dfa5f1cae137ca353be43c2982dfa1916b8b09445b9a5e6a99e4caf85c0f53085d05415569f8ee67bfd0f166e31acedc919b8d998ed1fdcfe7c3843d0
-
Filesize
280B
MD5075d80a6bca9bc422e8971e02e424593
SHA103b85f3af110bcf38a381a8dd0960ea47d57874b
SHA25659a8c5ce32f3c78fb84bfa101f4759ad8bb6d4cc18ef6d5189a842d880803ae2
SHA5123bac6196bbb6f05ff4b12feb9a332c480f8fc24a31cdde272278e4992eb68b546b4119ca537de6d076146a256eaa19eca8e5e47002a7cb71e2d34910590f9cde
-
Filesize
240B
MD55f3b94474faf6f67deb0ef536e850cc7
SHA1be824d3b26cdf9a287df8dff508f728f2e66421a
SHA2565f9aa382b8300a14301e2f9a41214f38ee865f6e3d0bab656d5448633cdff703
SHA512d09ba7919326103ff3c641bed38a0ac91099f7eb78f2c3919835f31e23ca325c9e8f246943c936167081ad92801972b4e202f572f06586eb858034e4db6a1037
-
Filesize
216B
MD56b06506ba93a079dd0d565757014b21e
SHA19953fe557f348c539ed00f9064ca1d5e0bcd3b02
SHA256c794d115ed90c409b71869e6bc5d1da39fe1b18e71d36bd4b8cd7a47646ae740
SHA5120dbd70ee117e617967f34d4f85519d2079409f275a90a765b7d923a414a48b405090be5da7e23c38e68dfcac568c4c2a7ede4859ca48c4b2ea89fe5a35b0a5b9
-
Filesize
264KB
MD503dffd25764045486ab62b7d1e832afd
SHA1b6236cc777c872fb6cb466032c4b321f3b6fc779
SHA256e2d2fdfcd2cb5c064ef7106ca20f80c4b03ac52f29cf1b89f20cdeddcb759bfe
SHA512669a8f6b1557c3a143d9b9342c4b0fa87e2c1fcdbf4e7886deebcf42933180ad7663e3f1fbc590ff0d4a4e5b592d9862b4731ea3d03ab5db95548da752b1c11d
-
Filesize
20KB
MD502bc5d025450a7bdff11f23bf7cb276b
SHA17633d94b370f455c5219be3de93b99adaa52705e
SHA256170bdaba46707830876dd525d9c1111d0480124a1e316b237af2fc0f08bbc736
SHA5122537695656cd39e33316825e87a75a6287383829a1fbfae8d983a440b72477c5f175d694734eca04a61cf5e2c62d513ce92dedc43974530fd473212d1ec28172
-
Filesize
160KB
MD5b18bc50dd03625520f926663d46f8695
SHA137031ccc628e1bb1074d05567e28a18ec826ee62
SHA256f0bb633c93cf06bc61cf5b666d1e37dc1fe9d40d0410ff5cb17e2554c1698aaf
SHA512895236d1bc47ba479770d4d334f0173384b19afc40bc4cd07b643e26de4f01974b16552da18eded805de7bd84022ed82bbbdc625771af2be76b7994f8615415b
-
Filesize
2KB
MD52aaebd0b58db301034a71315169914b3
SHA1e01550c84bedddcee2cb45002eacd42543b34cef
SHA2567ba5dac6d75f50a82a2881f0154e333d63e0d8a8a44df888b99dc551ad13e262
SHA5122f0bf6417c808360d1a768b05eeba17f60d660a3fc94bc323c6bc3b737d1dda0b7ecbc0232bd9972c34cac30396722dee13a6de5aea7778d6ea0cf62fb441480
-
Filesize
2KB
MD573a4e406f330de25eb54504e43936ad3
SHA130e85443615130c7de90f7400e1682c7a29c5848
SHA256fe75bf656bb3b68b52f551119459cc4c9aae0a81d8c16e7a48bccfc4e0a85fd5
SHA512844a13bb96a56307fb2062b00a4b0f7b72e1ffbdd166c0e9a762658162f56ad8a5e56803d8b3fdf240c90baacac43f90599082b09266d00cc0d5d8765477f78b
-
Filesize
2KB
MD54f4ab8a7dbcd987f144c8c2c442ba7c3
SHA123d103f9b8cf63413df8bd1f14bd5bf7cc53e873
SHA25650ded665140495c786c5c306b7f8f11188e9c854b39906bbcd23f0fdc59611af
SHA512cef8829d293756808e8fe056342bf8e3bd16ba87c9c1474bde988ba0f28b855451f0a0979d92089e7fe3cdd108f04e0a06c2527294b7bf21ee6355c039317a08
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD58dbaad77f530dd020a7d9d414ccb48c0
SHA15953b9057cb5b433e60cbad9c6c3abc306f24cb9
SHA2562fb9de08feeb31dbd05920bcf52a83dfdaa49e87c98b0da87e7534555b5cd8e3
SHA51264d95f7a3958813fd2746362ddb4b11d1149e63c7d50c3679fa7b30b31b12e45cf613fe76b6b9c7a7038df167333572db85056bf2a1128312fd85bf76e10c7b9
-
Filesize
356B
MD54add7c2c132c49604e027ced0a377e25
SHA1dfc5c31a9b30c746d98d5626223273630404629b
SHA2568bd6d982fd87682950b19db8a1ad2fd61555c6b23ec77da829e6659cd5779ed1
SHA5124a25e481a2138f1f883bc60a604bb95a58272dd874135bd4db106a7173f8ec82f6c34958b42150ebd8be8fa973a3f2ae55aa60257af7dc13b79bece436b1a8e0
-
Filesize
356B
MD5e6cf91b125bbb2891a2a9639dd0901e3
SHA12a409c823a343ccef11a076a180433d98fc46a6b
SHA256d59b604c541fc768665e2f813b72d76dc62ed219f0b84663060ca8e48aa5b73a
SHA512f380c2bb8363208aaa78faaf2558592c226ee0fab7cc7d1c8b1a689e84412702c899df882336ac15aa4b05a5d1576db58ef8b3385b6c92d11d0667c786ae9b1d
-
Filesize
9KB
MD53284f758492950d873e08a69008814b8
SHA1a259d05bfed3968973203dee5ace1ce63d4a1c66
SHA2569e9a58f439764a6ed913de3bc095aa3912f51eda7b689d8d711be6fbbfa22312
SHA51287ac7677f45a468d3df762eea8362b9a7a224df6c71e2cc3dfd2a736d40b7d4a6c5559613c1fc55f617dbc4ee05a5478ac922f164117aaebc757beef3cf553ea
-
Filesize
9KB
MD554f3cdd336bb2b68857215cda856591d
SHA11734b0699e3008efa151d776f14829fe53f3843e
SHA256c45b3a8302d01fafe39dc6f0f21ed5a78ab073aaced908fb5a988035964b6866
SHA5125847f3a0f4cb093c551da356e5e64822e29e33539f60137529eb7ac62bc59c4e860040a9a2081b90b43b71db7ffba225c9b305567a3ceef8473a27259d2f0c40
-
Filesize
10KB
MD59e32d81c06dec9c920035c276522b416
SHA11bddbb517f9bfe6fc508bdcf86339bcddd83feb2
SHA256b34809928af895f5c33805e8dc5ba4fa342e8f758343e586f82364c8e8628c66
SHA512ddcf51ef748d705bbfe831451d42db9d79ff262c6040c40e4c86038000fdd5839fd7264e794d30246e6e2ba9f7ab8fc962a9761a9d7f0355d1ee5a173d13d254
-
Filesize
9KB
MD582440fcbc84e7c95fb6f78282775c0ea
SHA1caf7d9cfdf1e49d1c510409fe594074fc0deb951
SHA256cfe5b2a2998a239dcc2bf9cff4cffec29a44ce2167b1565ba7b9d7ba62243b94
SHA5128735d6bf5d104089f6441e7b8c2da27fdfc37f7a8fb24b1e3a268f77b725e39ac03fbe3066598ad7230ed7f55c95d280eff5312e3609858d3bf439f33cc34b49
-
Filesize
9KB
MD53565e0754336d4c4aa6c28392dd0e2a2
SHA11f2810a7df4fc87ef9b28f57bcd6e3300239ad31
SHA256f002c7a6c8ba493b7130d5cc8bdf1499375f6d102b114d35ce0ef1c3d8dad08c
SHA5123aa6509584f7dc3d589973ef6020aae5f9191ad71d197954055ebe0bd77375a48622327cfeb6b1c6e1e95ab4a947ddd9cdc98b9cf88199a2ecc5cbde434e250e
-
Filesize
9KB
MD596b67dd216eacb915aa6fb0f38ae6076
SHA1a2331552de912e720465572562d278c9d82c3583
SHA25663df030b63f4065bda289d96616ec84737d49c75372a6a7c18c3fcbe332583e0
SHA512dbdea234b69453019811f8ac09579f0a58bb7e4018a782e0bf13576845feedb8aa1a4371dbd00aa84c5173cfc28d31a3f248adc49166c38f899f16739fae6609
-
Filesize
15KB
MD50916fac518d08442cb28ba55dee6bf3c
SHA1f285c56f7ca23d36b9675767eea0484a45a1e19b
SHA2563ee9db37bd6396bc7684ff39dc6c65d235c52aac13fb33512344745aa3a7073a
SHA512b220b073a44ddef62e455bd8e32a3cc4d797d0ff11e376308fbfce2c70d93ff83d6c02fa3ba9706332b72eab11b88daa964b8bbf092ac19c41138d9a16cccff3
-
Filesize
321B
MD5a0c597b8f22b7e59497effdb2833d075
SHA1a7df77f9fbda9f0410423169ef0917424195dcc1
SHA256d0130387f4963825cdcbaccbbb094238a9a02f0049c909dbeb43298cb3dcde9f
SHA512420d9cdec457c42db4185395be3b654152aeccae224e3f61070f929a500532e210fa8643dd3dbeacf3bf8bb0416672583365c87dde555f8a36d583456f5bd8aa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a19d2022-5c00-4196-b189-5a93a14ef5e7.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fdf72003-5d30-42c5-b652-efd6e95bbe74.tmp
Filesize9KB
MD5644bceebfc7e335ef6f8e2b41ee03367
SHA1e9380cdb0c57f2075a398f797863980151270b0f
SHA2565afcb2481541b2c629f7fcc7dabfb10e5fbce912791b3843d47964fa68a6d0b3
SHA5121eac445f0b09dfb01fc56ea50c1c9e69124a30382c2e8be813746457e50f2c075a1a9ca0ba534ce28b1817f568eaf609545017622b98f358ea8c9cfdd5c4e291
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
192KB
MD572b035f06848a73396b0eb85a170594a
SHA13777e60daacc188752d263d4e34ca62dfb5b53f1
SHA2563b37432598089f394fce6afcc14f3a293b21498a36089e567180b01dba6d8f91
SHA512e55e95b0b1e82005bb6f27deeb3a213dc81c1a94d5db4c9a1dd65a71ed989a24f5222a238690359761aa9cbd551d535cbeac581458621400e0d24d22ed2d84a8
-
Filesize
97KB
MD559174c6e795650022be0ef25e35f3c8d
SHA1fbeb55aa57646595f7de2561c28a4c5c8cd3dc76
SHA2565bacb7cb378351d4bc463d2768e76cee8fed2f5e124288251044e6d3ac67fd2d
SHA512e4ac16c37f2daf3595951be28968ac349edbf4992d3b18068c54e1037797364b859c9bf147209b6fc4ef96c76ea1d99a932b7c5a7eb5e7f3382714dafd0a2d89
-
Filesize
192KB
MD55320a75a459c0848f8c8a35409e0516c
SHA12ee0e6f6e618bed8b9fd394ece138f2249916216
SHA256da3f754a5706eef3d2c9ea7b76d766fe0b880e66b475cd73848832a82e9373f4
SHA512764599660aebfa61993b64952754272984083ba96f78cc7315f5be2f60874d5d24c4303fd81338a5d3b984c2d513ce1c81b21adcd49fb928a6da84a3d1e54d3f
-
Filesize
192KB
MD563153caceb787af223dd2ecc0d988df4
SHA166c3d8a0e8450c4393347e6021343f16af3753bb
SHA256667c708d234069188c8be36d54a31788dcb718313a7b0f2e74e2a2b77d6971b4
SHA512d4cd5247deefb96dd1de410d3c902dc6e910c2517b8c4ad9ac5d8f9659a914126678a7630133f1f3f83ebebe6987838561529939998f0648f031fcaa152aeccb
-
Filesize
264KB
MD58ea2fd5c9336b0c267af1d991f0d6e90
SHA1c59e1d4d6a204d386d508d38a7895bc635af7786
SHA2568ace9e98bb39a2c358ed09112f2ec684d63afd0c68cbaee36e42ff80a46288e5
SHA5125adc23fd2e0b74f9b6bdeaa270f7d21a418ac26d77393d57c8f3f650fd9e9c9bc52cafe0f6249871c89531e6ed9cd94b0d2962f67fd8f4655eaf140c097cd43f
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
28KB
MD547162506095d2b2bc03a8457034204e5
SHA175564128c8c409af9656d641a0efb44488d3fbb0
SHA256db569acf01391dee3633ecb6523639dc0be67cde492c84052f2a862778fe170c
SHA5125a6648ab4be3554352bca2ff7cb69debe18b423ee4e7944743603ece7e47655aacfc7b991bfdc8ca7f6ef29ad7c18f1292c3d2b614c02446e7839ac2cb4f4382
-
Filesize
4KB
MD5b7c82d56aaf593f36a729836137759b9
SHA1b954581943d49ce021cd7c4faf1df432af3be529
SHA256e1ee99c7cb379cec44a4e558bd251e6cee8147ff9eee6e70b437ae3db31781bc
SHA51288b6d68f95cae2c8530e0b28f7b1df341482647db69f5df5a5358a5fd2314fb1ce06184377be2c7b3761ed6a86af7d0fb816588b5de43d18de2fec45dbb165e2
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
6KB
MD53029c12cd96f0f45544fde6a3058a57b
SHA17014ca2d2ac9b825ee4f1d0bcf3ff96c9dfbe4b2
SHA256befab7c9a6e0dee249cf6f42808fb1bf966db4a9306749a78f5468b363fca0bf
SHA5126bc9a3debf38bb8c9ad37813716a7cabbc37b182552a5abb5b848fd9bc06ed86545f6fea39a8d9912feb3fa621cf358394c259e5e8fe7bbc479cdef06e2e66d3
-
Filesize
6KB
MD57fd59f5bd6280dd50730f0b228bae946
SHA1c92306f9bf96c0d1beee73535f14a5f8527ccd1f
SHA25676f21f8a7a1f94c612e8a64a1eb33f39420f6ba5ff68f9c23d5067e5a6f07305
SHA512595994d192b960df5684bb56d9954f1aabd1f4c0d4f9a2dfd8ac4bfe8f622697bc4a43e2d265dfbcce4cefad653e63ed8cabfa1433ab97018e0ddee88622de80
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD51be82a908989cbd9a907d106c0e17ff1
SHA1ecc044ca0b7855955751ba64adb8155c08c6154b
SHA2565ab9c18b0800745dddbc985a1fec96914623f44be1da8efd790bab1bf039ba8f
SHA512bb5667631ed6168a7ed329e7305dc0bef14ba2e54cd4d6e0c9d7653e8a04e7b1e7f7a10c8b9c3d191d507f9f895cbc0246cb0237d60acf9c56ebb0252d7fc8bd
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser-2024-08-13.1154.5352.1.aodl
Filesize256B
MD55e11447fd582594adbeb3b068ae880f5
SHA11f13b081294279324fe364d51b8f494a574d7a2c
SHA2561fdb724f60681b65e338457e662892f8de8f8e2f2e885fbba59154fc2e228b3d
SHA512837044a198c249e8900c6b4e8245a25f932b27d1e0278e65eb58626624571002ad0c2a0d4a1388b81d55bfe0263c70947ef818dbb280c5664c12fbb267b42f4b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Z9XBN0MH\microsoft.windows[1].xml
Filesize97B
MD56661a7eb0f8646c52e1ceffbd38b0b73
SHA1fd78b6e86f9834993dd6662b0f5fd781ac5ad88e
SHA256dd117d5654a48572fe51d7e20db6ce69b72c3229ceb0501582aa90ffa1d9d46b
SHA5122a6fca28d6b0fbd544910a30488056f1f0d97f9ac88169dfc24a75ea66f09663c8b0132c70b734dcc21b994f3428b445683e758ec848e19ebf5c8dd182ea253e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}
Filesize36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer
Filesize36KB
MD5ab0262f72142aab53d5402e6d0cb5d24
SHA1eaf95bb31ae1d4c0010f50e789bdc8b8e3116116
SHA25620a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb
SHA512bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae72fef-5d78-46c7-8d26-3e199f2ab235}\0.0.filtertrie.intermediate.txt
Filesize28KB
MD5c9021b3c23272d788052eadac7fe9cd7
SHA14ccfb37013187100404ceb433525222b062bb485
SHA256b442fced42e8f2a3fec8a08e1f8cecdd8329818eae89dccde8b858abcf9b304e
SHA51284c53a3619811c4501a7160da75de1774beb14c58e670590e351699a2a3b0418128ebfc1b99e70eefd8c8dcf5f157ddf36d3299639bed402ac902e377ecb6ce2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae72fef-5d78-46c7-8d26-3e199f2ab235}\0.1.filtertrie.intermediate.txt
Filesize5B
MD534bd1dfb9f72cf4f86e6df6da0a9e49a
SHA15f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA2568e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae72fef-5d78-46c7-8d26-3e199f2ab235}\0.2.filtertrie.intermediate.txt
Filesize5B
MD5c204e9faaf8565ad333828beff2d786e
SHA17d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae72fef-5d78-46c7-8d26-3e199f2ab235}\Apps.ft
Filesize38KB
MD5ea2609d9a35b96b5eaeae9b42353e0ef
SHA1510488d645ed13eff8ca4244dc241693d1dee5df
SHA256a2c21852b0e1f2e49c008acd772e1184ce6ab4ac462fd8ae2e3fb88b5e8e5147
SHA51232412639e9b2fe3b4443b96a84cb6227af7691034defff2d9731f67e37e2e6a622de2df594be4ad0527d7686458cfe4d5de92b85d54ce693f88813994dabfb79
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae72fef-5d78-46c7-8d26-3e199f2ab235}\Apps.index
Filesize1.0MB
MD59c2233f8388e4fcbabf8e101f3a86a45
SHA13b39a1afa8f7d1e651821e8b37d985b4337300e7
SHA25618c1dc63dfa3404cd3cd734ec8edc065217c762a314ff67436986142ff798774
SHA51245ff85a89e1d1af476d21ab8fa7c7712bb68051b7d2a2e856f7f8c3edcbc788546e2301ca49ac80a1546f2ea5bd95624673fc6c6e7b3121ed527967d3f3cc819
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{efb1f1fa-5030-4b05-b13e-83594854e4cc}\apps.csg
Filesize444B
MD55475132f1c603298967f332dc9ffb864
SHA14749174f29f34c7d75979c25f31d79774a49ea46
SHA2560b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA51254433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{efb1f1fa-5030-4b05-b13e-83594854e4cc}\apps.schema
Filesize150B
MD51659677c45c49a78f33551da43494005
SHA1ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA2565af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{efb1f1fa-5030-4b05-b13e-83594854e4cc}\appsconversions.txt
Filesize1.4MB
MD52bef0e21ceb249ffb5f123c1e5bd0292
SHA186877a464a0739114e45242b9d427e368ebcc02c
SHA2568b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307
SHA512f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{efb1f1fa-5030-4b05-b13e-83594854e4cc}\appsglobals.txt
Filesize343KB
MD5931b27b3ec2c5e9f29439fba87ec0dc9
SHA1dd5e78f004c55bbebcd1d66786efc5ca4575c9b4
SHA256541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e
SHA5124ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{efb1f1fa-5030-4b05-b13e-83594854e4cc}\appssynonyms.txt
Filesize237KB
MD506a69ad411292eca66697dc17898e653
SHA1fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d
SHA2562aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1
SHA512ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133680237038695063.txt
Filesize72KB
MD521acaf3ebdd2e8687e75d3d7fc309258
SHA12b79316434474d706d9590808da4aafee1d52a8e
SHA2567c715874aa99fe6d892ed6e1be7c619bc0ffcf41149d6b7771c4c38ee33ec151
SHA512961650be356cb9b178cf428116305a94726f699a017a3f7a4982ad4864c35ae2b54286afae2689b1db1785c3b2e8114be6accb413f70c004a06eafa5732e67af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
Filesize226KB
MD50081d773d46e4bfe4e46626b6ec76282
SHA1d2e5962e873c0959f09705fd3b4bab3bdbfc8c7f
SHA2565d531a3dbb068ac53c40a2c339f93f058e17656b33ff7de4ac00aa0a1d95e583
SHA512f534beb02c7e4859f17b6c8ec723f2c3341576f14f01410e26714cbb2494ba06d8bcdc7a1d71eb81a59955cc9528d86a8ca2774a73119aed07af1b00d096957e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize10KB
MD54c5ffc8e34c629914bc5045a2e00ff6c
SHA1471ddd16538856e67be3311fc356fe27cafac81d
SHA25693f0074bb91704195b38276d883cde8a4f00d9f15bd3ec467d0aa426c7cd4584
SHA51244a8dc9f808beea8e95a3901037d93477e8cf345a9f1fe3d87790f4848a4e56131f6cc33607526233d289f2d64faaf70a20313525e25b4905da89ad7cba2b766
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize9KB
MD539e17e08fb6b65e394b244d5f4ac1cea
SHA1f6ab2a119fe40b4f41d425d55fd3b59ae16ca5eb
SHA256f6bb160ce3b13c63905ad4e36c844b1f5030810eecb45eb7d6bbbba2c5173289
SHA512f676e41218af2f3ff7519870dac6e224d2d4d0500dfaf9a387ac2ddcbb6cdc52006f445e57586f3ddadd403e9417dc437510faf37707db52f6a4d3ceb0e0da3c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
470B
MD5a992fdc8e031b2397e2f38e8622f6a29
SHA15faf9b2ad0a8cdb1163d8c6ddd259e8d0f1eb0be
SHA2569cbe6a592271c697bbea60d6e205331055c2e23a0b3eb0832fa367321967afe8
SHA512b3165f01fa226f046dbf93a9b396161d069c23fae67705e3d2737740e709cdcd89f163d8d14c34b1d9fd92d57610d683d5b3ccfd01f35116030d36eb9c267eeb
-
Filesize
470B
MD58f5af5bef2d24ecb31a0cfed8f0c6ee3
SHA1f1e242fdf60aba3df909342333d47c66ce55ee33
SHA2561d1c82396cd7a21d76c25b954bab57ce8005ba787d8de3fefffb1c794b359a6e
SHA5124e7bae084d7b2120641c9b139309b56ee8b859b7fd3f9f7456e39cfdaa24128332e2d821773dde7390695f9eb21d73143583b3ffbbbea3982bffcf29c3c30d5f
-
Filesize
25.9MB
MD5bd2866356868563bd9d92d902cf9cc5a
SHA1c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b
SHA2566676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb
SHA5125eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27
-
Filesize
535KB
MD5ff5f39370b67a274cb58ba7e2039d2e2
SHA13020bb33e563e9efe59ea22aa4588bed5f1b2897
SHA2561233487ea4db928ee062f12b00a6eda01445d001ab55566107234dea4dc65872
SHA5127decec37c80d1d5ad6296d737d5d16c4fc92353a3ae4bd083c4a7b267bb6073a53d9f6152b20f9b5e62ba6c93f76d08f813812a83ce164db4c91107d7ad5a95f
-
Filesize
3.8MB
MD5bb9e693d2df3edaeceb9d8b6cb2fa1df
SHA10a66c6bca9c11cd5375e7c54897ffc36baab5c27
SHA256201f5728c8000bfa84fea795c6acbba4d216bb2d75d8e239b10f19efc50b8b90
SHA512a7ab242494e1ccb857656870cc2c44911f2f679b14ad3cccbae4d402f0253c0472ffd9b9c2172aa87d8368c6257563042ca9142002e5bc42d8b58e74f7feba79
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e