26f07e440dfd3b8b410fdd75ec04595b79c57e8be2a13c14dd746840ff33983c

Analysis

max time kernel
189s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToX_Free_Utility_v1.8.bat
Size

96KB
MD5

77833823ecd3754d0099e019f7e885d0
SHA1

e65494c444f7c42032372a09e1179c6f6950ae24
SHA256

26f07e440dfd3b8b410fdd75ec04595b79c57e8be2a13c14dd746840ff33983c
SHA512

52f951f9f253af8499538d810f53242f32c24c7f6b27d8ef76abf2c8c8b1c8e7d31e0b3a7c52ad70fdd1f41a54fa023b21fde7bea24942fa6bf61afb4dd95547
SSDEEP

768:SXQO3gNjy0y7PHYW9CyptHDXxRSyeVlEeOh/853gzI1vavQw8gsQmVHQQCHQVbOy:GQTgvptHriyd017wIUS

Score

10^/10

evasion execution persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
452	bcdedit.exe
1848	bcdedit.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3628	powershell.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Delays execution with timeout.exe 56 IoCs

evasion

pid	Process
452	timeout.exe
1664	timeout.exe
3100	timeout.exe
4600	timeout.exe
2124	timeout.exe
1096	timeout.exe
3560	timeout.exe
3176	timeout.exe
1704	timeout.exe
4604	timeout.exe
3032	timeout.exe
2312	timeout.exe
3444	timeout.exe
4552	timeout.exe
3640	timeout.exe
1476	timeout.exe
1232	timeout.exe
3444	timeout.exe
1056	timeout.exe
5116	timeout.exe
1620	timeout.exe
2124	timeout.exe
4600	timeout.exe
3456	timeout.exe
4800	timeout.exe
4804	timeout.exe
2232	timeout.exe
3220	timeout.exe
2456	timeout.exe
2648	timeout.exe
3032	timeout.exe
2368	timeout.exe
1680	timeout.exe
3360	timeout.exe
1384	timeout.exe
680	timeout.exe
4528	timeout.exe
3220	timeout.exe
4400	timeout.exe
2900	timeout.exe
4184	timeout.exe
464	timeout.exe
1480	timeout.exe
1304	timeout.exe
4720	timeout.exe
4528	timeout.exe
4412	timeout.exe
2792	timeout.exe
1684	timeout.exe
4280	timeout.exe
3056	timeout.exe
4536	timeout.exe
2356	timeout.exe
212	timeout.exe
4508	timeout.exe
4252	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5012	reg.exe
2640	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3628	powershell.exe
3628	powershell.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeBackupPrivilege	3376	vssvc.exe
Token: SeRestorePrivilege	3376	vssvc.exe
Token: SeAuditPrivilege	3376	vssvc.exe
Token: SeBackupPrivilege	3988	srtasks.exe
Token: SeRestorePrivilege	3988	srtasks.exe
Token: SeSecurityPrivilege	3988	srtasks.exe
Token: SeTakeOwnershipPrivilege	3988	srtasks.exe
Token: SeBackupPrivilege	3988	srtasks.exe
Token: SeRestorePrivilege	3988	srtasks.exe
Token: SeSecurityPrivilege	3988	srtasks.exe
Token: SeTakeOwnershipPrivilege	3988	srtasks.exe
Token: SeIncreaseQuotaPrivilege	3176	WMIC.exe
Token: SeSecurityPrivilege	3176	WMIC.exe
Token: SeTakeOwnershipPrivilege	3176	WMIC.exe
Token: SeLoadDriverPrivilege	3176	WMIC.exe
Token: SeSystemProfilePrivilege	3176	WMIC.exe
Token: SeSystemtimePrivilege	3176	WMIC.exe
Token: SeProfSingleProcessPrivilege	3176	WMIC.exe
Token: SeIncBasePriorityPrivilege	3176	WMIC.exe
Token: SeCreatePagefilePrivilege	3176	WMIC.exe
Token: SeBackupPrivilege	3176	WMIC.exe
Token: SeRestorePrivilege	3176	WMIC.exe
Token: SeShutdownPrivilege	3176	WMIC.exe
Token: SeDebugPrivilege	3176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3176	WMIC.exe
Token: SeRemoteShutdownPrivilege	3176	WMIC.exe
Token: SeUndockPrivilege	3176	WMIC.exe
Token: SeManageVolumePrivilege	3176	WMIC.exe
Token: 33	3176	WMIC.exe
Token: 34	3176	WMIC.exe
Token: 35	3176	WMIC.exe
Token: 36	3176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3176	WMIC.exe
Token: SeSecurityPrivilege	3176	WMIC.exe
Token: SeTakeOwnershipPrivilege	3176	WMIC.exe
Token: SeLoadDriverPrivilege	3176	WMIC.exe
Token: SeSystemProfilePrivilege	3176	WMIC.exe
Token: SeSystemtimePrivilege	3176	WMIC.exe
Token: SeProfSingleProcessPrivilege	3176	WMIC.exe
Token: SeIncBasePriorityPrivilege	3176	WMIC.exe
Token: SeCreatePagefilePrivilege	3176	WMIC.exe
Token: SeBackupPrivilege	3176	WMIC.exe
Token: SeRestorePrivilege	3176	WMIC.exe
Token: SeShutdownPrivilege	3176	WMIC.exe
Token: SeDebugPrivilege	3176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3176	WMIC.exe
Token: SeRemoteShutdownPrivilege	3176	WMIC.exe
Token: SeUndockPrivilege	3176	WMIC.exe
Token: SeManageVolumePrivilege	3176	WMIC.exe
Token: 33	3176	WMIC.exe
Token: 34	3176	WMIC.exe
Token: 35	3176	WMIC.exe
Token: 36	3176	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3084	2764	cmd.exe	84
PID 2764 wrote to memory of 3084	2764	cmd.exe	84
PID 2764 wrote to memory of 2312	2764	cmd.exe	85
PID 2764 wrote to memory of 2312	2764	cmd.exe	85
PID 2764 wrote to memory of 5012	2764	cmd.exe	86
PID 2764 wrote to memory of 5012	2764	cmd.exe	86
PID 2764 wrote to memory of 4328	2764	cmd.exe	88
PID 2764 wrote to memory of 4328	2764	cmd.exe	88
PID 2764 wrote to memory of 2456	2764	cmd.exe	89
PID 2764 wrote to memory of 2456	2764	cmd.exe	89
PID 2764 wrote to memory of 2640	2764	cmd.exe	90
PID 2764 wrote to memory of 2640	2764	cmd.exe	90
PID 2764 wrote to memory of 3140	2764	cmd.exe	91
PID 2764 wrote to memory of 3140	2764	cmd.exe	91
PID 2764 wrote to memory of 3792	2764	cmd.exe	92
PID 2764 wrote to memory of 3792	2764	cmd.exe	92
PID 2764 wrote to memory of 3524	2764	cmd.exe	103
PID 2764 wrote to memory of 3524	2764	cmd.exe	103
PID 2764 wrote to memory of 4548	2764	cmd.exe	104
PID 2764 wrote to memory of 4548	2764	cmd.exe	104
PID 2764 wrote to memory of 4536	2764	cmd.exe	105
PID 2764 wrote to memory of 4536	2764	cmd.exe	105
PID 2764 wrote to memory of 1472	2764	cmd.exe	106
PID 2764 wrote to memory of 1472	2764	cmd.exe	106
PID 2764 wrote to memory of 3628	2764	cmd.exe	107
PID 2764 wrote to memory of 3628	2764	cmd.exe	107
PID 2764 wrote to memory of 4328	2764	cmd.exe	114
PID 2764 wrote to memory of 4328	2764	cmd.exe	114
PID 2764 wrote to memory of 2456	2764	cmd.exe	115
PID 2764 wrote to memory of 2456	2764	cmd.exe	115
PID 2764 wrote to memory of 2640	2764	cmd.exe	116
PID 2764 wrote to memory of 2640	2764	cmd.exe	116
PID 2764 wrote to memory of 2076	2764	cmd.exe	119
PID 2764 wrote to memory of 2076	2764	cmd.exe	119
PID 2764 wrote to memory of 2792	2764	cmd.exe	120
PID 2764 wrote to memory of 2792	2764	cmd.exe	120
PID 2764 wrote to memory of 5000	2764	cmd.exe	121
PID 2764 wrote to memory of 5000	2764	cmd.exe	121
PID 2764 wrote to memory of 928	2764	cmd.exe	122
PID 2764 wrote to memory of 928	2764	cmd.exe	122
PID 2764 wrote to memory of 1088	2764	cmd.exe	123
PID 2764 wrote to memory of 1088	2764	cmd.exe	123
PID 2764 wrote to memory of 1928	2764	cmd.exe	124
PID 2764 wrote to memory of 1928	2764	cmd.exe	124
PID 2764 wrote to memory of 1976	2764	cmd.exe	125
PID 2764 wrote to memory of 1976	2764	cmd.exe	125
PID 2764 wrote to memory of 2784	2764	cmd.exe	126
PID 2764 wrote to memory of 2784	2764	cmd.exe	126
PID 2764 wrote to memory of 2232	2764	cmd.exe	127
PID 2764 wrote to memory of 2232	2764	cmd.exe	127
PID 2764 wrote to memory of 3660	2764	cmd.exe	128
PID 2764 wrote to memory of 3660	2764	cmd.exe	128
PID 2764 wrote to memory of 2704	2764	cmd.exe	129
PID 2764 wrote to memory of 2704	2764	cmd.exe	129
PID 2764 wrote to memory of 208	2764	cmd.exe	130
PID 2764 wrote to memory of 208	2764	cmd.exe	130
PID 2764 wrote to memory of 2856	2764	cmd.exe	131
PID 2764 wrote to memory of 2856	2764	cmd.exe	131
PID 2764 wrote to memory of 1464	2764	cmd.exe	132
PID 2764 wrote to memory of 1464	2764	cmd.exe	132
PID 2764 wrote to memory of 4980	2764	cmd.exe	133
PID 2764 wrote to memory of 4980	2764	cmd.exe	133
PID 2764 wrote to memory of 4224	2764	cmd.exe	134
PID 2764 wrote to memory of 4224	2764	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ToX_Free_Utility_v1.8.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3084
- C:\Windows\system32\mode.com
  MODE 75,23
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM /F
  2⤵
  - Modifies registry key
  PID:5012
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do echo [95m"
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  Reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2640
- C:\Windows\system32\mode.com
  MODE 110,34
  2⤵
  PID:3140
- C:\Windows\system32\mode.com
  MODE 105,27
  2⤵
  PID:3792
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /t REG_DWORD /d 1 /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPLifeInterval" /t REG_DWORD /d 1 /f
  2⤵
  PID:4548
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 0 /f
  2⤵
  PID:4536
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\cfg" /v "C:" /t REG_DWORD /d 1 /f
  2⤵
  PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Checkpoint-Computer -Description 'Before ToX Tweaks' -RestorePointType 'MODIFY_SETTINGS'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4328
- C:\Windows\system32\mode.com
  mode con: cols=138 lines=37
  2⤵
  PID:2456
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2640
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2076
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2792
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 00000005 /f
  2⤵
  PID:5000
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:928
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1088
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1928
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1976
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d "1" /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f
  2⤵
  PID:208
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f
  2⤵
  PID:4224
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowFrequent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3532
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4668
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "TelemetrySalt" /t REG_DWORD /d "0" /f
  2⤵
  PID:4248
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d "1" /f
  2⤵
  PID:3248
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Discord" /t REG_BINARY /d "0300000066AF9C7C5A46D901" /f
  2⤵
  PID:2964
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Spotify" /t REG_BINARY /d "0300000070E93D7B5A46D901" /f
  2⤵
  PID:728
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Steam" /t REG_BINARY /d "03000000E7766B83316FD901" /f
  2⤵
  PID:376
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d "0" /f
  2⤵
  PID:2396
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d "0" /f
  2⤵
  PID:3052
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1480
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d "2" /f
  2⤵
  PID:1308
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:4324
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d "1" /f
  2⤵
  PID:452
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4508
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\FindMyDevice" /v "AllowFindMyDevice" /t REG_DWORD /d "0" /f
  2⤵
  PID:4436
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\FindMyDevice" /v "LocationSyncEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4180
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3176
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
  2⤵
  PID:3128
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:4788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate" /v "value" /t REG_DWORD /d "1" /f
  2⤵
  PID:4400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:896
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
  2⤵
  PID:1080
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
  2⤵
  - UAC bypass
  PID:3060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
  2⤵
  - UAC bypass
  PID:1968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableAutomaticRestartSignOn" /t REG_DWORD /d "1" /f
  2⤵
  PID:3536
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:752
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /
  2⤵
  PID:3064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "FastSendDatagramThreshold" /t REG_DWORD /d "409600" /f
  2⤵
  PID:1920
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1304
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:2008
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3456
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1704
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:3888
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4104
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:624
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3360
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:1924
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:4348
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4800
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 00000002 /f
  2⤵
  PID:1912
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4804
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "DirectXUserGlobalSettings" /t REG_SZ /d "VRROptimizeEnable=0;" /f
  2⤵
  PID:3620
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1684
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:4776
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4536
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1472
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:3708
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:5068
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4612
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:312
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:2932
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4604
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:2792
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:452
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:4436
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:4180
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:3176
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2356
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:440
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4448
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:2160
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\EventTranscriptKey" /v "EnableEventTranscript" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4736
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_SZ /d "-" /f
  2⤵
  PID:1760
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1664
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4112
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1244
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1384
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4280
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:364
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4444
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:2136
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3128
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3100
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:4756
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2900
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4788
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4400
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:896
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1080
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\cellularData" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\cellularData\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Allow" /f
  2⤵
  PID:1968
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3536
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:752
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\gazeInput" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3064
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Prompt" /f
  2⤵
  PID:4344
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:464
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4844
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3108
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4884
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4920
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation\Microsoft.AccountsControl_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Prompt" /f
  2⤵
  PID:448
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3888
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4104
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Allow" /f
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Allow" /f
  2⤵
  PID:624
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2232
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
  2⤵
  PID:3564
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
  2⤵
  PID:2468
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
  2⤵
  PID:972
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
  2⤵
  PID:916
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
  2⤵
  PID:468
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
  2⤵
  PID:3428
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
  2⤵
  PID:3972
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
  2⤵
  PID:4804
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
  2⤵
  PID:3620
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
  2⤵
  PID:1684
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
  2⤵
  PID:2108
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
  2⤵
  PID:4664
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
  2⤵
  PID:3636
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
  2⤵
  PID:4776
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
  2⤵
  PID:4536
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
  2⤵
  PID:1472
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
  2⤵
  PID:3708
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
  2⤵
  PID:5068
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
  2⤵
  PID:4172
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
  2⤵
  PID:1480
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
  2⤵
  PID:1044
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
  2⤵
  PID:8
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4116
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3444
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
  2⤵
  PID:3116
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f
  2⤵
  PID:4892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
  2⤵
  PID:4908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2160
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewymicrosoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
  2⤵
  PID:4140
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d "0" /f
  2⤵
  PID:2204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f
  2⤵
  PID:1988
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
  2⤵
  PID:1356
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
  2⤵
  PID:3552
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3220
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
  2⤵
  PID:1620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3380
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f
  2⤵
  PID:2612
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2916
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
  2⤵
  PID:3584
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f
  2⤵
  PID:1984
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3640
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:752
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1304
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:724
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:928
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1704
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DoReport" /t REG_DWORD /d "0" /f
  2⤵
  PID:1624
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f
  2⤵
  PID:3360
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1924
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
  2⤵
  PID:1400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2224
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1604
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3964
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:728
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
  2⤵
  PID:5032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "JPEGImportQuality" /t REG_DWORD /d "256" /f
  2⤵
  PID:1352
- C:\Windows\system32\mode.com
  mode con: cols=138 lines=37
  2⤵
  PID:5068
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4172
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4324
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4720
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4600
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:452
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2648
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:3152
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_USBController get PNPDeviceID| findstr /l "PCI\VEN_"
  2⤵
  PID:3116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_USBController get PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- - C:\Windows\system32\findstr.exe
    findstr /l "PCI\VEN_"
    3⤵
    PID:4568
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:1660
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:3364
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:212
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f
  2⤵
  PID:3148
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "D3ColdSupported" /t REG_DWORD /d "0" /f
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f
  2⤵
  PID:4956
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "EnableSelectiveSuspend" /t REG_DWORD /d "0" /f
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "SelectiveSuspendOn" /t REG_DWORD /d "0" /f
  2⤵
  PID:5012
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1232
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\USB" /v "DisableSelectiveSuspend" /t REG_DWORD /d "1" /f
  2⤵
  PID:316
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3220
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
  2⤵
  PID:2828
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2368
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:3516
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4184
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f
  2⤵
  PID:3628
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4528
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "16" /f
  2⤵
  PID:3668
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3056
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "16" /f
  2⤵
  PID:3640
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1056
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DebugPollInterval" /t REG_DWORD /d "1000" /f
  2⤵
  PID:2008
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:464
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:724
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorSensitivity" /t REG_DWORD /d "64" /f
  2⤵
  PID:928
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorUpdateInterval" /t REG_DWORD /d "1" /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "IRecho [95moteNavigationDelta" /t REG_DWORD /d "10" /f
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v "AttractionRectInsetInDIPS" /t REG_DWORD /d "5" /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v "DistanceThresholdInDIPS" /t REG_DWORD /d "40" /f
  2⤵
  PID:1624
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatRate" /t REG_SZ /d "0" /f
  2⤵
  PID:3360
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "BounceTime" /t REG_SZ /d "0" /f
  2⤵
  PID:2468
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "DelayBeforeAcceptance" /t REG_SZ /d "0" /f
  2⤵
  PID:972
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:208
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last BounceKey Setting" /t REG_DWORD /d "0" /f
  2⤵
  PID:3992
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Delay" /t REG_DWORD /d "0" /f
  2⤵
  PID:3428
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Repeat" /t REG_DWORD /d "0" /f
  2⤵
  PID:3972
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Wait" /t REG_DWORD /d "1000" /f
  2⤵
  PID:4804
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  Reg add "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:1684
- C:\Windows\system32\reg.exe
  Reg add "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108
- C:\Windows\system32\reg.exe
  Reg add "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:3796
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve" /t REG_BINARY /d "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000" /f
  2⤵
  PID:4728
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseXCurve" /t REG_BINARY /d "0000000000000000C0CC0C0000000000809919000000000040662600000000000033330000000000" /f
  2⤵
  PID:5032
- C:\Windows\system32\reg.exe
  Reg add "HKLM\System\CurrentControlSet\Services\MMCSS" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1352
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5116
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:1308
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "LazyModeTimeout" /t REG_DWORD /d "10000" /f
  2⤵
  PID:4472
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
  2⤵
  PID:1484
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "NoLazyMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:3448
- C:\Windows\system32\mode.com
  mode con: cols=138 lines=37
  2⤵
  PID:792
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4324
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4720
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4600
- C:\Windows\system32\bcdedit.exe
  bcdedit /set allowedinmemorysettings 0x0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:452
- C:\Windows\system32\bcdedit.exe
  bcdedit /set isolatedcontext No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1848
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f
  2⤵
  PID:4180
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:808
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:1608
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3116
- C:\Windows\system32\mode.com
  mode con: cols=138 lines=37
  2⤵
  PID:1660
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3364
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4140
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2124
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1356
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:680
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1680
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "Disable_OverlayDSQualityEnhancement" /t REG_DWORD /d "1" /f
  2⤵
  PID:3552
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "512" /f
  2⤵
  PID:2900
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4412
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "IncreaseFixedSegment" /t REG_DWORD /d "1" /f
  2⤵
  PID:4960
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4400
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "AdaptiveVsyncEnable" /t REG_DWORD /d "0" /f
  2⤵
  PID:3380
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1620
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "DisablePFonDP" /t REG_DWORD /d "1" /f
  2⤵
  PID:3628
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4528
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "EnableCompensationForDVI" /t REG_DWORD /d "1" /f
  2⤵
  PID:184
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3032
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "NoFastLinkTrainingForeDP" /t REG_DWORD /d "0" /f
  2⤵
  PID:2812
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1096
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "AllowDeepCStates" /t REG_DWORD /d "0" /f
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3560
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "ACPowerPolicyVersion" /t REG_DWORD /d "16898" /f
  2⤵
  PID:516
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2312
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Intel" /v "DCPowerPolicyVersion" /t REG_DWORD /d "16642" /f
  2⤵
  PID:2864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pk4mn2io.net.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3628-3-0x00000250478A0000-0x00000250478C2000-memory.dmp

Filesize
136KB

Download