hxxps://drive[.]google[.]com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view

Analysis

max time kernel
174s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe

Executes dropped EXE 5 IoCs

pid	Process
5856	Ultimate Tweaks.exe
6132	Ultimate Tweaks.exe
5364	Ultimate Tweaks.exe
2032	Ultimate Tweaks.exe
2380	Ultimate Tweaks.exe

Loads dropped DLL 17 IoCs

pid	Process
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
6132	Ultimate Tweaks.exe
5364	Ultimate Tweaks.exe
5364	Ultimate Tweaks.exe
5364	Ultimate Tweaks.exe
5364	Ultimate Tweaks.exe
5364	Ultimate Tweaks.exe
2032	Ultimate Tweaks.exe
2380	Ultimate Tweaks.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
8	drive.google.com
9	drive.google.com
15	drive.google.com
183	discord.com
184	discord.com
185	discord.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Ultimate Tweaks\locales\af.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\ca.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\en-GB.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\et.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\he.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\ms.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\nl.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\icudtl.dat	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\fr.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\it.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\libEGL.dll	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\nb.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\zh-CN.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\Uninstall Ultimate Tweaks.exe	Ultimate Tweaks.exe
File opened for modification	C:\Program Files\Ultimate Tweaks\database\Fps.db	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\es-419.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\cs.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\hr.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\sk.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\resources\app-update.yml	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\LICENSE.electron.txt	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\bn.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\el.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\lt.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\te.pak	Ultimate Tweaks.exe
File opened for modification	C:\Program Files\Ultimate Tweaks\locales	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\bg.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\de.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\kn.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\ru.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\uk.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\am.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\snapshot_blob.bin	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\vk_swiftshader.dll	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\gu.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\ja.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\lv.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\ml.pak	Ultimate Tweaks.exe
File opened for modification	C:\Program Files\Ultimate Tweaks\resources	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\chrome_200_percent.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\database\Fps.db~	Ultimate Tweaks.exe
File opened for modification	C:\Program Files\Ultimate Tweaks\database\Fps.db~	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\database\Fps.db	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\mr.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\resources\app.asar	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\id.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\vk_swiftshader_icd.json	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\en-US.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\pt-PT.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\sr.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\ur.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\vi.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\zh-TW.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\libGLESv2.dll	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\sl.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\tr.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\v8_context_snapshot.bin	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\pl.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\pt-BR.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\sw.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\LICENSES.chromium.html	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\ar.pak	Ultimate Tweaks.exe
File created	C:\Program Files\Ultimate Tweaks\locales\es.pak	Ultimate Tweaks.exe

Launches sc.exe 63 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5760	sc.exe
2004	sc.exe
2964	sc.exe
3248	sc.exe
5676	sc.exe
4932	sc.exe
180	sc.exe
1296	sc.exe
6072	sc.exe
3284	sc.exe
6024	sc.exe
4108	sc.exe
2552	sc.exe
4484	sc.exe
5196	sc.exe
1036	sc.exe
3240	sc.exe
5724	sc.exe
5356	sc.exe
1044	sc.exe
468	sc.exe
4352	sc.exe
2348	sc.exe
5692	sc.exe
5724	sc.exe
4300	sc.exe
2704	sc.exe
2684	sc.exe
5124	sc.exe
6024	sc.exe
5856	sc.exe
428	sc.exe
5968	sc.exe
392	sc.exe
2012	sc.exe
5660	sc.exe
5644	sc.exe
900	sc.exe
4500	sc.exe
2068	sc.exe
5324	sc.exe
5784	sc.exe
1728	sc.exe
6008	sc.exe
1044	sc.exe
2416	sc.exe
5688	sc.exe
744	sc.exe
5172	sc.exe
900	sc.exe
5468	sc.exe
4492	sc.exe
4560	sc.exe
376	sc.exe
3836	sc.exe
5452	sc.exe
3788	sc.exe
4880	sc.exe
4104	sc.exe
2540	sc.exe
4980	sc.exe
4844	sc.exe
4304	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2120	powershell.exe
5640	powershell.exe
4840	powershell.exe
6704	powershell.exe
760	powershell.exe
2068	powershell.exe
3156	powershell.exe
5452	powershell.exe
544	powershell.exe
6200	powershell.exe
6248	powershell.exe
2776	powershell.exe
3540	powershell.exe
5964	powershell.exe
2732	powershell.exe
760	powershell.exe
1860	powershell.exe
5484	powershell.exe
264	powershell.exe
7040	powershell.exe
2348	powershell.exe
6424	powershell.exe
1812	powershell.exe
764	powershell.exe
4492	powershell.exe
6032	powershell.exe
4788	powershell.exe
952	powershell.exe
7032	powershell.exe
5972	powershell.exe
2668	powershell.exe
3068	powershell.exe
2552	powershell.exe
5684	powershell.exe
5784	powershell.exe
5884	powershell.exe
5768	powershell.exe
5732	powershell.exe
1424	powershell.exe
1200	powershell.exe
432	powershell.exe
4980	powershell.exe
2984	powershell.exe
5760	powershell.exe
4104	powershell.exe
6368	powershell.exe
3516	powershell.exe
2984	powershell.exe
6068	powershell.exe
2388	powershell.exe
6336	powershell.exe
1192	powershell.exe
1192	powershell.exe
2964	powershell.exe
4596	powershell.exe
5308	powershell.exe
6920	powershell.exe
1888	powershell.exe
4984	powershell.exe
5808	powershell.exe
6596	powershell.exe
5480	powershell.exe
4316	powershell.exe
6256	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate Tweaks.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Sound	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response\Flags = "0"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MenuShowDelay = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Sound\ExtendedSounds = "no"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseHoverTime = "0"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\TimeOut\Flags = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\HighContrast\Flags = "0"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\SoundSentry\Flags = "0"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MenuShowDelay = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Sound\Beep = "no"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\StickyKeys\Flags = "0"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ToggleKeys\Flags = "0"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\Beep = "No"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Sound	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "0"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MouseWheelRouting = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\HighContrast	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\MouseKeys	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\MouseKeys\Flags = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\SoundSentry	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\TimeOut	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ToggleKeys	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\ExtendedSounds = "No"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\StickyKeys	reg.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\FolderType = "NotSpecified"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 417411.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\installer.exe\:SmartScreen:$DATA	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
4144	msedge.exe
4144	msedge.exe
1768	identity_helper.exe
1768	identity_helper.exe
5748	msedge.exe
5748	msedge.exe
5856	Ultimate Tweaks.exe
5856	Ultimate Tweaks.exe
2964	powershell.exe
2964	powershell.exe
4596	powershell.exe
4596	powershell.exe
4596	powershell.exe
2964	powershell.exe
5972	powershell.exe
5972	powershell.exe
3184	powershell.exe
3184	powershell.exe
5972	powershell.exe
3184	powershell.exe
2776	powershell.exe
2776	powershell.exe
5480	powershell.exe
5480	powershell.exe
2776	powershell.exe
5480	powershell.exe
2668	powershell.exe
2668	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
2668	powershell.exe
5640	powershell.exe
5640	powershell.exe
2120	powershell.exe
2120	powershell.exe
5640	powershell.exe
2120	powershell.exe
6068	powershell.exe
6068	powershell.exe
1888	powershell.exe
1888	powershell.exe
6068	powershell.exe
1888	powershell.exe
1812	powershell.exe
1812	powershell.exe
5884	powershell.exe
5884	powershell.exe
1812	powershell.exe
5884	powershell.exe
760	powershell.exe
760	powershell.exe
1192	powershell.exe
1192	powershell.exe
760	powershell.exe
1192	powershell.exe
5308	powershell.exe
5308	powershell.exe
1424	powershell.exe
1424	powershell.exe
5308	powershell.exe
1424	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5856	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	6132	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	6132	Ultimate Tweaks.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	6132	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	2964	powershell.exe
Token: SeSecurityPrivilege	2964	powershell.exe
Token: SeTakeOwnershipPrivilege	2964	powershell.exe
Token: SeLoadDriverPrivilege	2964	powershell.exe
Token: SeSystemProfilePrivilege	2964	powershell.exe
Token: SeSystemtimePrivilege	2964	powershell.exe
Token: SeProfSingleProcessPrivilege	2964	powershell.exe
Token: SeIncBasePriorityPrivilege	2964	powershell.exe
Token: SeCreatePagefilePrivilege	2964	powershell.exe
Token: SeBackupPrivilege	2964	powershell.exe
Token: SeRestorePrivilege	2964	powershell.exe
Token: SeShutdownPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeSystemEnvironmentPrivilege	2964	powershell.exe
Token: SeRemoteShutdownPrivilege	2964	powershell.exe
Token: SeUndockPrivilege	2964	powershell.exe
Token: SeManageVolumePrivilege	2964	powershell.exe
Token: 33	2964	powershell.exe
Token: 34	2964	powershell.exe
Token: 35	2964	powershell.exe
Token: 36	2964	powershell.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	6132	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	6132	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	6132	Ultimate Tweaks.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	5972	powershell.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	6132	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	5972	powershell.exe
Token: SeSecurityPrivilege	5972	powershell.exe
Token: SeTakeOwnershipPrivilege	5972	powershell.exe
Token: SeLoadDriverPrivilege	5972	powershell.exe
Token: SeSystemProfilePrivilege	5972	powershell.exe
Token: SeSystemtimePrivilege	5972	powershell.exe
Token: SeProfSingleProcessPrivilege	5972	powershell.exe
Token: SeIncBasePriorityPrivilege	5972	powershell.exe
Token: SeCreatePagefilePrivilege	5972	powershell.exe
Token: SeBackupPrivilege	5972	powershell.exe
Token: SeRestorePrivilege	5972	powershell.exe
Token: SeShutdownPrivilege	5972	powershell.exe
Token: SeDebugPrivilege	5972	powershell.exe
Token: SeSystemEnvironmentPrivilege	5972	powershell.exe
Token: SeRemoteShutdownPrivilege	5972	powershell.exe
Token: SeUndockPrivilege	5972	powershell.exe
Token: SeManageVolumePrivilege	5972	powershell.exe
Token: 33	5972	powershell.exe
Token: 34	5972	powershell.exe
Token: 35	5972	powershell.exe
Token: 36	5972	powershell.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	6132	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	6132	Ultimate Tweaks.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 3492	4144	msedge.exe	84
PID 4144 wrote to memory of 3492	4144	msedge.exe	84
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 5116	4144	msedge.exe	85
PID 4144 wrote to memory of 2140	4144	msedge.exe	86
PID 4144 wrote to memory of 2140	4144	msedge.exe	86
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87
PID 4144 wrote to memory of 1164	4144	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82fc046f8,0x7ff82fc04708,0x7ff82fc04718
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6720 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5748
- C:\Users\Admin\Downloads\Ultimate Tweaks.exe
  "C:\Users\Admin\Downloads\Ultimate Tweaks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4996 /prefetch:2
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:6500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2958072326847405959,16555846524022503893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1500

C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6132
- C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1712 --field-trial-handle=1732,i,9349728768675065970,717138365882672266,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5364
- C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2204 --field-trial-handle=1732,i,9349728768675065970,717138365882672266,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2032
- C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Program Files\Ultimate Tweaks\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2408 --field-trial-handle=1732,i,9349728768675065970,717138365882672266,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Checks processor information in registry
  PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:2552
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5948
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f
      4⤵
      PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:2120
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5668
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f"
    3⤵
    PID:1996
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
      4⤵
      PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f"
    3⤵
    PID:3912
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
      4⤵
      PID:936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f"
    3⤵
    PID:1816
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
      4⤵
      PID:5772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5780
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
      4⤵
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f"
    3⤵
    PID:2608
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:4592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f"
    3⤵
    PID:1660
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
      4⤵
      PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4884
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
      4⤵
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f"
    3⤵
    PID:5140
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f"
    3⤵
    PID:2332
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
      4⤵
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5796
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
      4⤵
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f"
    3⤵
    PID:632
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f
      4⤵
      PID:1888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3096
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f
      4⤵
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2016
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f
      4⤵
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3616
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f
      4⤵
      PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5640
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2120
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5628
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4216
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f
      4⤵
      PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMftZoneReservation" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3068
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMftZoneReservation" /t REG_DWORD /d "1" /f
      4⤵
      PID:3696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisable8dot3NameCreation" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3396
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisable8dot3NameCreation" /t REG_DWORD /d "1" /f
      4⤵
      PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2952
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f
      4⤵
      PID:1992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2932
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f
      4⤵
      PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f"
    3⤵
    PID:4876
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f
      4⤵
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f"
    3⤵
    PID:6108
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
      4⤵
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f"
    3⤵
    PID:6020
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
      4⤵
      PID:5156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f"
    3⤵
    PID:1044
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f
      4⤵
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f"
    3⤵
    PID:5640
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f
      4⤵
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f"
    3⤵
    PID:5076
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f
      4⤵
      PID:1620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f"
    3⤵
    PID:5840
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
      4⤵
      PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f"
    3⤵
    PID:6112
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f
      4⤵
      PID:5648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4708
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f
      4⤵
      PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3096
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f
      4⤵
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f"
    3⤵
    PID:5808
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f
      4⤵
      PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f"
    3⤵
    PID:3156
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f
      4⤵
      PID:6048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f"
    3⤵
    PID:1660
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:1036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f"
    3⤵
    PID:468
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
      4⤵
      PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f"
    3⤵
    PID:6004
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:5148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f"
    3⤵
    PID:5960
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f"
    3⤵
    PID:2932
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f"
    3⤵
    PID:2348
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
      4⤵
      PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f"
    3⤵
    PID:3616
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
      4⤵
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f"
    3⤵
    PID:6072
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
      4⤵
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4216
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f"
    3⤵
    PID:5784
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f
      4⤵
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f"
    3⤵
    PID:3184
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f"
    3⤵
    PID:5348
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f"
    3⤵
    PID:3552
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1888
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f"
    3⤵
    PID:2120
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f
      4⤵
      PID:5196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f"
    3⤵
    PID:1804
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f
      4⤵
      PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f"
    3⤵
    PID:3520
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f
      4⤵
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1296
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
      4⤵
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5756
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
      4⤵
      PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3092
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
      4⤵
      PID:5628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1256
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
      4⤵
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "Max Cached Icons" /t REG_SZ /d "2000" /f"
    3⤵
    PID:2964
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "Max Cached Icons" /t REG_SZ /d "2000" /f
      4⤵
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5964
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f
      4⤵
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL" /v "Default" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2796
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL" /v "Default" /t REG_DWORD /d "1" /f
      4⤵
      PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5480
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
      4⤵
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2420
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
      4⤵
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f"
    3⤵
    PID:2932
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
      4⤵
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5724
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6112
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
      4⤵
      PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5848
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
      4⤵
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f"
    3⤵
    PID:6072
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
      4⤵
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f"
    3⤵
    PID:2252
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:540
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
      4⤵
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5472
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5884
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
      4⤵
      PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3188
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4004
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964c" /v "ValueMax" /t REG_DWORD /d "100" /f"
    3⤵
    PID:764
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2332
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964c" /v "ValueMax" /t REG_DWORD /d "100" /f
      4⤵
      PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964c\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ValueMax" /t REG_DWORD /d "100" /f"
    3⤵
    PID:3540
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964c\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ValueMax" /t REG_DWORD /d "100" /f
      4⤵
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4448
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f
      4⤵
      PID:5676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:1328
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5576
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3396
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
      4⤵
      PID:5536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f"
    3⤵
    PID:6060
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
      4⤵
      PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f"
    3⤵
    PID:5808
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6048
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
      4⤵
      PID:5488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4372
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
      4⤵
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f"
    3⤵
    PID:3932
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f"
    3⤵
    PID:4244
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
      4⤵
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f"
    3⤵
    PID:264
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
      4⤵
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f"
    3⤵
    PID:1660
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3616
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f"
    3⤵
    PID:1860
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
      4⤵
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4216
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f
      4⤵
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2260
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f
      4⤵
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3184
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2552
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f
      4⤵
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f"
    3⤵
    PID:752
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f
      4⤵
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1904
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f
      4⤵
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMftZoneReservation" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5196
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMftZoneReservation" /t REG_DWORD /d "1" /f
      4⤵
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisable8dot3NameCreation" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2684
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisable8dot3NameCreation" /t REG_DWORD /d "1" /f
      4⤵
      PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5092
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f
      4⤵
      PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f"
    3⤵
    PID:432
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f
      4⤵
      PID:5536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f"
    3⤵
    PID:2472
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f
      4⤵
      PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f"
    3⤵
    PID:4880
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
      4⤵
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f"
    3⤵
    PID:2964
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
      4⤵
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f"
    3⤵
    PID:400
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f
      4⤵
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f"
    3⤵
    PID:5944
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f"
    3⤵
    PID:3004
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f
      4⤵
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f"
    3⤵
    PID:2248
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
      4⤵
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f"
    3⤵
    PID:264
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f"
    3⤵
    PID:544
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f
      4⤵
      PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3616
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f
      4⤵
      PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f"
    3⤵
    PID:1860
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f"
    3⤵
    PID:4048
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f
      4⤵
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4024
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f"
    3⤵
    PID:468
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
      4⤵
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f"
    3⤵
    PID:2068
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f"
    3⤵
    PID:2120
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:6008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f"
    3⤵
    PID:5796
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f"
    3⤵
    PID:392
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
      4⤵
      PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f"
    3⤵
    PID:2684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:396
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
      4⤵
      PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f"
    3⤵
    PID:4844
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
      4⤵
      PID:5576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3092
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f"
    3⤵
    PID:6056
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f
      4⤵
      PID:5488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f"
    3⤵
    PID:6020
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:2780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f"
    3⤵
    PID:5852
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f"
    3⤵
    PID:1660
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f"
    3⤵
    PID:544
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f
      4⤵
      PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f"
    3⤵
    PID:3416
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f
      4⤵
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f"
    3⤵
    PID:5840
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f
      4⤵
      PID:5172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4692
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3500
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
      4⤵
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2068
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
      4⤵
      PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1904
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "Max Cached Icons" /t REG_SZ /d "2000" /f"
    3⤵
    PID:1792
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "Max Cached Icons" /t REG_SZ /d "2000" /f
      4⤵
      PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5692
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f
      4⤵
      PID:6124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL" /v "Default" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5756
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL" /v "Default" /t REG_DWORD /d "1" /f
      4⤵
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3092
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
      4⤵
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f"
    3⤵
    PID:5628
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
      4⤵
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f"
    3⤵
    PID:6020
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
      4⤵
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f"
    3⤵
    PID:1088
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
      4⤵
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f"
    3⤵
    PID:2984
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f
      4⤵
      PID:264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f"
    3⤵
    PID:2932
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f
      4⤵
      PID:324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v ContentEvaluation /t REG_DWORD /d "0" /f"
    3⤵
    PID:4068
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v ContentEvaluation /t REG_DWORD /d "0" /f
      4⤵
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4788
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
      4⤵
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4048
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3416
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
      4⤵
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ShowStatus" /t REG_DWORD /d "3" /f"
    3⤵
    PID:5172
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ShowStatus" /t REG_DWORD /d "3" /f
      4⤵
      PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ExtraIconsOnMinimized" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5104
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ExtraIconsOnMinimized" /t REG_DWORD /d "0" /f
      4⤵
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Transparency" /t REG_DWORD /d "255" /f"
    3⤵
    PID:5540
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Transparency" /t REG_DWORD /d "255" /f
      4⤵
      PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Label" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4104
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Label" /t REG_DWORD /d "0" /f
      4⤵
      PID:5996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f"
    3⤵
    PID:2248
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f"
    3⤵
    PID:5604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1200
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:6124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f"
    3⤵
    PID:1964
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f"
    3⤵
    PID:5236
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f"
    3⤵
    PID:3112
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3068
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
      4⤵
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f"
    3⤵
    PID:4236
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
      4⤵
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f"
    3⤵
    PID:5148
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
      4⤵
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f"
    3⤵
    PID:2796
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4244
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
      4⤵
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3284
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_DWORD /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f"
    3⤵
    PID:1820
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Desktop" /v "MouseWheelRouting" /t REG_DWORD /d "0" /f"
    3⤵
    PID:1520
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Desktop" /v "MouseWheelRouting" /t REG_DWORD /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "Beep" /t REG_SZ /d "No" /f"
    3⤵
    PID:4380
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "Beep" /t REG_SZ /d "No" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "ExtendedSounds" /t REG_SZ /d "No" /f"
    3⤵
    PID:2260
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Mouse" /v "ExtendedSounds" /t REG_SZ /d "No" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Sound" /v "Beep" /t REG_SZ /d "no" /f"
    3⤵
    PID:5784
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Sound" /v "Beep" /t REG_SZ /d "no" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Sound" /v "ExtendedSounds" /t REG_SZ /d "no" /f"
    3⤵
    PID:4072
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4592
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Sound" /v "ExtendedSounds" /t REG_SZ /d "no" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\HighContrast" /v "Flags" /t REG_SZ /d "0" /f"
    3⤵
    PID:5864
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\HighContrast" /v "Flags" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f"
    3⤵
    PID:5492
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f"
    3⤵
    PID:5476
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\SoundSentry" /v "Flags" /t REG_SZ /d "0" /f"
    3⤵
    PID:2248
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\SoundSentry" /v "Flags" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "0" /f"
    3⤵
    PID:1012
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\TimeOut" /v "Flags" /t REG_SZ /d "0" /f"
    3⤵
    PID:180
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\TimeOut" /v "Flags" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "0" /f"
    3⤵
    PID:5644
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneShowAllFolders" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1192
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneShowAllFolders" /t REG_DWORD /d "1" /f
      4⤵
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f"
    3⤵
    PID:1804
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f
      4⤵
      Modifies registry class
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG DELETE "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f"
    3⤵
    PID:4432
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f
      4⤵
      Modifies registry class
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d "00000000" /f"
    3⤵
    PID:5192
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d "00000000" /f
      4⤵
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "186" /f"
    3⤵
    PID:3112
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "186" /f
      4⤵
      PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f"
    3⤵
    PID:2964
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f
      4⤵
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f"
    3⤵
    PID:1116
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f
      4⤵
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2796
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d "1" /f
      4⤵
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2560
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d "1" /f
      4⤵
      PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4984
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
      4⤵
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f"
    3⤵
    PID:6076
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
      4⤵
      PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:468
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3188
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f
      4⤵
      PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4312
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
      4⤵
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4072
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
      4⤵
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f"
    3⤵
    PID:216
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
      4⤵
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d "2" /f"
    3⤵
    PID:2120
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4372
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d "2" /f
      4⤵
      PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f"
    3⤵
    PID:6008
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
      4⤵
      PID:372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f"
    3⤵
    PID:1812
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6124
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
      4⤵
      PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3544
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
      4⤵
      PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6004
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
      4⤵
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5644
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3520
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d "0" /f
      4⤵
      PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d "1" /f"
    3⤵
    PID:936
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d "1" /f
      4⤵
      PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5964
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f
      4⤵
      PID:5748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Keyboard Layout\Toggle" /v "Language Hotkey" /t REG_SZ /d "3" /f"
    3⤵
    PID:4432
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Keyboard Layout\Toggle" /v "Language Hotkey" /t REG_SZ /d "3" /f
      4⤵
      PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Keyboard Layout\Toggle" /v "Hotkey" /t REG_SZ /d "3" /f"
    3⤵
    PID:4696
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Keyboard Layout\Toggle" /v "Hotkey" /t REG_SZ /d "3" /f
      4⤵
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Keyboard Layout\Toggle" /v "Layout Hotkey" /t REG_SZ /d "3" /f"
    3⤵
    PID:4880
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Keyboard Layout\Toggle" /v "Layout Hotkey" /t REG_SZ /d "3" /f
      4⤵
      PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v "ShowSleepOption" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4124
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v "ShowSleepOption" /t REG_DWORD /d "0" /f
      4⤵
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v "ShowLockOption" /t REG_DWORD /d "0" /f"
    3⤵
    PID:264
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4008
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v "ShowLockOption" /t REG_DWORD /d "0" /f
      4⤵
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f"
    3⤵
    PID:5072
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f
      4⤵
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\AppEvents\Schemes" /f"
    3⤵
    PID:1920
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\AppEvents\Schemes" /f
      4⤵
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DelayedDesktopSwitchTimeout" /t REG_DWORD /d "0" /f"
    3⤵
    PID:544
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DelayedDesktopSwitchTimeout" /t REG_DWORD /d "0" /f
      4⤵
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation" /v "DisableStartupSound" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4048
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation" /v "DisableStartupSound" /t REG_DWORD /d "1" /f
      4⤵
      PID:5940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_LargeMFUIcons" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5172
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3140
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_LargeMFUIcons" /t REG_DWORD /d "0" /f
      4⤵
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "2" /f"
    3⤵
    PID:1888
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "2" /f
      4⤵
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Gwx" /v "DisableGwx" /t REG_DWORD /d "1" /f"
    3⤵
    PID:764
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Gwx" /v "DisableGwx" /t REG_DWORD /d "1" /f
      4⤵
      PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3540
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /t REG_DWORD /d "1" /f
      4⤵
      PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4284
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
      4⤵
      PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4760
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
      4⤵
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f"
    3⤵
    PID:1328
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
      4⤵
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "EnableAutoTray" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4884
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "EnableAutoTray" /t REG_DWORD /d "0" /f
      4⤵
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f"
    3⤵
    PID:920
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f
      4⤵
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4844
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f
      4⤵
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3672
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f
      4⤵
      PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Peernet" /v "Disabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5608
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4604
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Peernet" /v "Disabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Internet Explorer\Main" /v "DEPOff" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1932
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Internet Explorer\Main" /v "DEPOff" /t REG_DWORD /d "1" /f
      4⤵
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "VerboseStatus" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1300
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "VerboseStatus" /t REG_DWORD /d "1" /f
      4⤵
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4304
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4236
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_DWORD /d "0" /f
      4⤵
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\TabletPC" /v "TurnOffPenFeedback" /t REG_DWORD /d "1" /f"
    3⤵
    PID:3112
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\TabletPC" /v "TurnOffPenFeedback" /t REG_DWORD /d "1" /f
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKU\.DEFAULT\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f"
    3⤵
    PID:4124
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4728
  - - C:\Windows\system32\reg.exe
      REG ADD "HKU\.DEFAULT\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f"
    3⤵
    PID:264
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f
      4⤵
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1504
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
      4⤵
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4100
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1920
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3308
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
      4⤵
      PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f"
    3⤵
    PID:4380
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
      4⤵
      PID:5172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4692
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3188
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d "0" /f
      4⤵
      PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d "0" /f"
    3⤵
    PID:6108
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d "0" /f
      4⤵
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3240
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f
      4⤵
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseActionCenterExperience" /t REG_DWORD /d "0" /f"
    3⤵
    PID:808
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseActionCenterExperience" /t REG_DWORD /d "0" /f
      4⤵
      PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5996
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
      4⤵
      PID:3396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    PID:5780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t REG_DWORD /d "1" /f"
    3⤵
    PID:432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5880
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t REG_DWORD /d "1" /f
      4⤵
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1536
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5964
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f
      4⤵
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4432
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
      4⤵
      PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices" /v "TCGSecurityActivationDisabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5368
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices" /v "TCGSecurityActivationDisabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2420
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4228
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f
      4⤵
      PID:324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f"
    3⤵
    PID:1396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4124
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d "2" /f"
    3⤵
    PID:264
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d "2" /f
      4⤵
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d "1" /f"
    3⤵
    PID:2252
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d "1" /f
      4⤵
      PID:1992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1044
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
      4⤵
      PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f"
    3⤵
    PID:3704
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5840
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
      4⤵
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5172
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d "0" /f
      4⤵
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5848
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
      4⤵
      PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5308
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d "0" /f
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f"
    3⤵
    PID:5732
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
      4⤵
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f"
    3⤵
    PID:1012
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f
      4⤵
      PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f"
    3⤵
    PID:2936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1256
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
      4⤵
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f"
    3⤵
    PID:2704
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:5236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f"
    3⤵
    PID:4060
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6052
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config ALG start=disabled"
    3⤵
    PID:3768
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5604
  - - C:\Windows\system32\sc.exe
      sc config ALG start=disabled
      4⤵
      Launches sc.exe
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config AJRouter start=disabled"
    3⤵
    PID:1668
  - - C:\Windows\system32\sc.exe
      sc config AJRouter start=disabled
      4⤵
      Launches sc.exe
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config XblAuthManager start=disabled"
    3⤵
    PID:4976
  - - C:\Windows\system32\sc.exe
      sc config XblAuthManager start=disabled
      4⤵
      Launches sc.exe
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config XblGameSave start=disabled"
    3⤵
    PID:4500
  - - C:\Windows\system32\sc.exe
      sc config XblGameSave start=disabled
      4⤵
      Launches sc.exe
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config XboxNetApiSvc start=disabled"
    3⤵
    PID:2416
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2796
  - - C:\Windows\system32\sc.exe
      sc config XboxNetApiSvc start=disabled
      4⤵
      Launches sc.exe
      PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WSearch start=disabled"
    3⤵
    PID:5984
  - - C:\Windows\system32\sc.exe
      sc config WSearch start=disabled
      4⤵
      Launches sc.exe
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config lfsvc start=disabled"
    3⤵
    PID:540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4216
  - - C:\Windows\system32\sc.exe
      sc config lfsvc start=disabled
      4⤵
      Launches sc.exe
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config RemoteRegistry start=disabled"
    3⤵
    PID:4788
  - - C:\Windows\system32\sc.exe
      sc config RemoteRegistry start=disabled
      4⤵
      Launches sc.exe
      PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WpcMonSvc start=disabled"
    3⤵
    PID:3728
  - - C:\Windows\system32\sc.exe
      sc config WpcMonSvc start=disabled
      4⤵
      Launches sc.exe
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config SEMgrSvc start=disabled"
    3⤵
    PID:1636
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4872
  - - C:\Windows\system32\sc.exe
      sc config SEMgrSvc start=disabled
      4⤵
      Launches sc.exe
      PID:5676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config SCardSvr start=disabled"
    3⤵
    PID:5104
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4312
  - - C:\Windows\system32\sc.exe
      sc config SCardSvr start=disabled
      4⤵
      Launches sc.exe
      PID:5784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config Netlogon start=disabled"
    3⤵
    PID:2608
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3540
  - - C:\Windows\system32\sc.exe
      sc config Netlogon start=disabled
      4⤵
      Launches sc.exe
      PID:5196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config icssvc start=disabled"
    3⤵
    PID:4284
  - - C:\Windows\system32\sc.exe
      sc config icssvc start=disabled
      4⤵
      Launches sc.exe
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config wisvc start=disabled"
    3⤵
    PID:1380
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1860
  - - C:\Windows\system32\sc.exe
      sc config wisvc start=disabled
      4⤵
      Launches sc.exe
      PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config RetailDemo start=disabled"
    3⤵
    PID:4360
  - - C:\Windows\system32\sc.exe
      sc config RetailDemo start=disabled
      4⤵
      Launches sc.exe
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WalletService start=disabled"
    3⤵
    PID:3156
  - - C:\Windows\system32\sc.exe
      sc config WalletService start=disabled
      4⤵
      Launches sc.exe
      PID:5688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config Fax start=disabled"
    3⤵
    PID:4448
  - - C:\Windows\system32\sc.exe
      sc config Fax start=disabled
      4⤵
      Launches sc.exe
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WbioSrvc start=disabled"
    3⤵
    PID:5108
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:372
  - - C:\Windows\system32\sc.exe
      sc config WbioSrvc start=disabled
      4⤵
      Launches sc.exe
      PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config iphlpsvc start=disabled"
    3⤵
    PID:2684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:760
  - - C:\Windows\system32\sc.exe
      sc config iphlpsvc start=disabled
      4⤵
      Launches sc.exe
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config wcncsvc start=disabled"
    3⤵
    PID:5492
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4376
  - - C:\Windows\system32\sc.exe
      sc config wcncsvc start=disabled
      4⤵
      Launches sc.exe
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config fhsvc start=disabled"
    3⤵
    PID:6020
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4060
  - - C:\Windows\system32\sc.exe
      sc config fhsvc start=disabled
      4⤵
      Launches sc.exe
      PID:180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config PhoneSvc start=disabled"
    3⤵
    PID:4600
  - - C:\Windows\system32\sc.exe
      sc config PhoneSvc start=disabled
      4⤵
      Launches sc.exe
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config seclogon start=disabled"
    3⤵
    PID:4696
  - - C:\Windows\system32\sc.exe
      sc config seclogon start=disabled
      4⤵
      Launches sc.exe
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config FrameServer start=disabled"
    3⤵
    PID:2420
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4068
  - - C:\Windows\system32\sc.exe
      sc config FrameServer start=disabled
      4⤵
      Launches sc.exe
      PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WbioSrvc start=disabled"
    3⤵
    PID:2932
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1820
  - - C:\Windows\system32\sc.exe
      sc config WbioSrvc start=disabled
      4⤵
      Launches sc.exe
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config StiSvc start=disabled"
    3⤵
    PID:5984
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5168
  - - C:\Windows\system32\sc.exe
      sc config StiSvc start=disabled
      4⤵
      Launches sc.exe
      PID:4932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    PID:4984
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config PcaSvc start=disabled"
    3⤵
    PID:4248
  - - C:\Windows\system32\sc.exe
      sc config PcaSvc start=disabled
      4⤵
      Launches sc.exe
      PID:5172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config DPS start=disabled"
    3⤵
    PID:3932
  - - C:\Windows\system32\sc.exe
      sc config DPS start=disabled
      4⤵
      Launches sc.exe
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config MapsBroker start=disabled"
    3⤵
    PID:3544
  - - C:\Windows\system32\sc.exe
      sc config MapsBroker start=disabled
      4⤵
      Launches sc.exe
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config bthserv start=disabled"
    3⤵
    PID:5468
  - - C:\Windows\system32\sc.exe
      sc config bthserv start=disabled
      4⤵
      Launches sc.exe
      PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config BDESVC start=disabled"
    3⤵
    PID:3156
  - - C:\Windows\system32\sc.exe
      sc config BDESVC start=disabled
      4⤵
      Launches sc.exe
      PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config BthAvctpSvc start=disabled"
    3⤵
    PID:936
  - - C:\Windows\system32\sc.exe
      sc config BthAvctpSvc start=disabled
      4⤵
      Launches sc.exe
      PID:6008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WpcMonSvc start=disabled"
    3⤵
    PID:1512
  - - C:\Windows\system32\sc.exe
      sc config WpcMonSvc start=disabled
      4⤵
      Launches sc.exe
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config DiagTrack start=disabled"
    3⤵
    PID:1048
  - - C:\Windows\system32\sc.exe
      sc config DiagTrack start=disabled
      4⤵
      Launches sc.exe
      PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config CertPropSvc start=disabled"
    3⤵
    PID:5452
  - - C:\Windows\system32\sc.exe
      sc config CertPropSvc start=disabled
      4⤵
      Launches sc.exe
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WdiServiceHost start=disabled"
    3⤵
    PID:5556
  - - C:\Windows\system32\sc.exe
      sc config WdiServiceHost start=disabled
      4⤵
      Launches sc.exe
      PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config lmhosts start=disabled"
    3⤵
    PID:1328
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5536
  - - C:\Windows\system32\sc.exe
      sc config lmhosts start=disabled
      4⤵
      Launches sc.exe
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WdiSystemHost start=disabled"
    3⤵
    PID:3788
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1668
  - - C:\Windows\system32\sc.exe
      sc config WdiSystemHost start=disabled
      4⤵
      Launches sc.exe
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config TrkWks start=disabled"
    3⤵
    PID:4500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6060
  - - C:\Windows\system32\sc.exe
      sc config TrkWks start=disabled
      4⤵
      Launches sc.exe
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WerSvc start=disabled"
    3⤵
    PID:5924
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2420
  - - C:\Windows\system32\sc.exe
      sc config WerSvc start=disabled
      4⤵
      Launches sc.exe
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config TabletInputService start=disabled"
    3⤵
    PID:2560
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3248
  - - C:\Windows\system32\sc.exe
      sc config TabletInputService start=disabled
      4⤵
      Launches sc.exe
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config Spooler start=disabled"
    3⤵
    PID:1520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1992
  - - C:\Windows\system32\sc.exe
      sc config Spooler start=disabled
      4⤵
      Launches sc.exe
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config BcastDVRUserService start=disabled"
    3⤵
    PID:736
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5848
  - - C:\Windows\system32\sc.exe
      sc config BcastDVRUserService start=disabled
      4⤵
      Launches sc.exe
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WMPNetworkSvc start=disabled"
    3⤵
    PID:4800
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4100
  - - C:\Windows\system32\sc.exe
      sc config WMPNetworkSvc start=disabled
      4⤵
      Launches sc.exe
      PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config diagnosticshub.standardcollector.service start=disabled"
    3⤵
    PID:5768
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5308
  - - C:\Windows\system32\sc.exe
      sc config diagnosticshub.standardcollector.service start=disabled
      4⤵
      Launches sc.exe
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config DmEnrollmentSvc start=disabled"
    3⤵
    PID:1012
  - - C:\Windows\system32\sc.exe
      sc config DmEnrollmentSvc start=disabled
      4⤵
      Launches sc.exe
      PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config PNRPAutoReg start=disabled"
    3⤵
    PID:1964
  - - C:\Windows\system32\sc.exe
      sc config PNRPAutoReg start=disabled
      4⤵
      Launches sc.exe
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config wlidsvc start=disabled"
    3⤵
    PID:5076
  - - C:\Windows\system32\sc.exe
      sc config wlidsvc start=disabled
      4⤵
      Launches sc.exe
      PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config AXInstSV start=disabled"
    3⤵
    PID:1440
  - - C:\Windows\system32\sc.exe
      sc config AXInstSV start=disabled
      4⤵
      Launches sc.exe
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config lfsvc start=disabled"
    3⤵
    PID:4188
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3728
  - - C:\Windows\system32\sc.exe
      sc config lfsvc start=disabled
      4⤵
      Launches sc.exe
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config wlidsvc start=disabled"
    3⤵
    PID:4788
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5808
  - - C:\Windows\system32\sc.exe
      sc config wlidsvc start=disabled
      4⤵
      Launches sc.exe
      PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config DisplayEnhancementService start=disabled"
    3⤵
    PID:4360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5468
  - - C:\Windows\system32\sc.exe
      sc config DisplayEnhancementService start=disabled
      4⤵
      Launches sc.exe
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config DiagTrack start=disabled"
    3⤵
    PID:2780
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5644
  - - C:\Windows\system32\sc.exe
      sc config DiagTrack start=disabled
      4⤵
      Launches sc.exe
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config DusmSvc start=disabled"
    3⤵
    PID:5024
  - - C:\Windows\system32\sc.exe
      sc config DusmSvc start=disabled
      4⤵
      Launches sc.exe
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config TabletInputService start=disabled"
    3⤵
    PID:2916
  - - C:\Windows\system32\sc.exe
      sc config TabletInputService start=disabled
      4⤵
      Launches sc.exe
      PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config RetailDemo start=disabled"
    3⤵
    PID:5092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2068
  - - C:\Windows\system32\sc.exe
      sc config RetailDemo start=disabled
      4⤵
      Launches sc.exe
      PID:5452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config Fax start=disabled"
    3⤵
    PID:1816
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4880
  - - C:\Windows\system32\sc.exe
      sc config Fax start=disabled
      4⤵
      Launches sc.exe
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config SharedAccess start=disabled"
    3⤵
    PID:228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5576
  - - C:\Windows\system32\sc.exe
      sc config SharedAccess start=disabled
      4⤵
      Launches sc.exe
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config lfsvc start=disabled"
    3⤵
    PID:1088
  - - C:\Windows\system32\sc.exe
      sc config lfsvc start=disabled
      4⤵
      Launches sc.exe
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config WpcMonSvc start=disabled"
    3⤵
    PID:5724
  - - C:\Windows\system32\sc.exe
      sc config WpcMonSvc start=disabled
      4⤵
      Launches sc.exe
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config SessionEnv start=disabled"
    3⤵
    PID:3588
  - - C:\Windows\system32\sc.exe
      sc config SessionEnv start=disabled
      4⤵
      Launches sc.exe
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config MicrosoftEdgeElevationService start=disabled"
    3⤵
    PID:5356
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4932
  - - C:\Windows\system32\sc.exe
      sc config MicrosoftEdgeElevationService start=disabled
      4⤵
      Launches sc.exe
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc config edgeupdate start=disabled"
    3⤵
    PID:4108
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4992
  - - C:\Windows\system32\sc.exe
      sc config edgeupdate start=disabled
      4⤵
      Launches sc.exe
      PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:764
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:4024
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1696
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4104
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2388
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4492
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5808
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1192
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3156
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
    3⤵
    PID:5588
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5856
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
      4⤵
      Checks processor information in registry
      PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:952
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:544
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:6872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5924
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6256
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:6048
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5088
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2984
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3516
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:1660
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4188
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:6496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6248
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6200
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6704
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6336
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/invite/ultw
    3⤵
    PID:5848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff82fc046f8,0x7ff82fc04708,0x7ff82fc04718
      4⤵
      PID:6452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6596
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6424
- C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Program Files\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3240 --field-trial-handle=1732,i,9349728768675065970,717138365882672266,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:6680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Ultimate Tweaks\chrome_100_percent.pak

Filesize
150KB

MD5
b1bccf31fa5710207026d373edd96161

SHA1
ae7bb0c083aea838df1d78d61b54fb76c9a1182e

SHA256
49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3

SHA512
134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

Download Submit
C:\Program Files\Ultimate Tweaks\resources.pak

Filesize
5.0MB

MD5
67bb5e75ceb8ced4c98cf0454933cb45

SHA1
c2b1c8c8d753318bc5ec18762c27512a5eb9f9cd

SHA256
5d63acd4034f7771ca346d138d7478014abf1f3f4386d07fc025dbc2c2bc0bff

SHA512
fd213d59ebc625f6f8b20cc8fde1a22132ce827b81deaddb9ca7993fe0d9616de17e089def338d23c4b6bbd7d3a931ee73aa329325eaa17f8145a58fe11d8c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3348b890-5320-41bd-9017-7f8a59c302b1.tmp

Filesize
7KB

MD5
efdf073c387aeda5cf5ad835d5cd432c

SHA1
46ac5eb62b2075480ef1bce0ceb21a3b08c00ce0

SHA256
0157997e97aff9e8ed9029c1c5a854ee3b8e8a987b4a7881fb880115d79bf908

SHA512
a74eec376b40d6ac1265c27cc569450fb47e1c3e59a234524312e5c01db3da6f7addf43cc8368425156347f53ad4443f83fad03efd090ab4ab197d1964c36e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
0d17932e0626482afe8b6f310e47cb24

SHA1
78dd115cea950e82c6428486836b1975b6630573

SHA256
1f5b32a1afcdf9092cf1f0bb84eae0a6be1c8b4ddeb4d2fc4d271d1314aab252

SHA512
75e51a80add7329ddf91df268fe15a827931325283f15212b55a2dc41b76c1050863b0c0eecc4e7f20c069c0b8cf0c5b4e666ec9dca843c37a8e25867785edb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
929e0454ba6bae0ccc49b11acf2ce433

SHA1
68e01ea75cf07b16021560277879479ae0c47b35

SHA256
9ddf63dd6c14118cb57864ff70c2b6a998e4e2a31c098955250de8bdf2371f96

SHA512
fdbed02c46ddd18a65eb51842ae1e25cd15730aa76574baf1fd22a461a22632e288fe792a9597948ae5f7c630f399f3f1a9073cf1b6e243af6fb23d11867c41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
f48a0b138329539b214ed2d80b7a342b

SHA1
e17871d38903c81384daf3462b28cfb1d0e4664c

SHA256
4f00d8da3a4a20c6be19c5ad3d96aa81fca9a4449f06588d274ca8ce42fb3309

SHA512
147b08916915ed26f32a34d45068f475afdd20cad73d03d3a3fb83b10fa8bf585776c27f9f201958350c64f9ddb92e37f2263e79a48e2b00b35e87318de27e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9560a049164189c1e29ea4bfbdcac90f

SHA1
8f7172be08629c98609e4d8f49832c68c2873a55

SHA256
b076aa36a0f9ec4b0b6971ccecf19fae8a49b9736b414b21fb0a463527bb7fc2

SHA512
edeed095a44c0262c49f23437cb0d7cc0e2c2ccd92c8917950415a4a0da4274f3215e825f82afc3260252f720cf5d0b8cbacc16f4c96f1aaae0b0c9b909d7ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
41e2ae28506480e7b778c39520decfd7

SHA1
ab6eea384d7b1e23c1c8bfd2efff6e63abc3b166

SHA256
ddfb09d372e614a5e14faa94bbb71c2b317a30e794e09a2d87a58ef86fdccfa8

SHA512
e42a01e0829b94ca6ec99240c1e9168db581529e7bbb681186b334f3827227fe04df67116c90897f861ce4a0b39bada162672ce453205ebf828b0b820ecab4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
406e85e4f9e85c1d5b9561007a07fa05

SHA1
80949762a07803e90744e600216fc91668dfc1a1

SHA256
32ed2a0b81736b1b6a5b4a3c32142176a419234772cf4c4f395c412f82d1039d

SHA512
753964a022e3f717bc384d8b4caff85b8911110ffeb465e9cf7c3bcf0f2eecfff11b7ec45ea3cdf00c7939409f43386d053d3c4424e0dbdbc082c997b050ea37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
76a4b7e49832ce3f3c8b70c2d687a1b3

SHA1
2b3b0c6db8e5ca06d7186c5ec2bbd133f98a6a51

SHA256
1ffaae008e87b07442566f2fae8c3499f90fdcc4c80f77c9ef5a3334c19f054f

SHA512
27ca7c14bf2f30584a9f4b886e9ef96e2a6808d72021a6ddf6591ed7c196836e329e3e630abf9fef5df394bb8602830ea61b7316fa8de6243d0751c7f6c9c655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4716cc65c4c7c9913aebc007888920e8

SHA1
24bd920824eac7299ed6b4a3494f70ae613edaf6

SHA256
ec3bd27b4ee51581e0090c25784dd09d9baf2027847158bc477070ee86b0e714

SHA512
edd213f8969a82bfdd0c28913f616c547a8fa18228506edaf22f3203213565ea4ec609a702920a2fb665e1b7f8378b1fb54e17ae228a025d89af4e19aebcce1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71caf28f5006e5b175ad6a59fb7119db

SHA1
6aab06d8b484e87c335939d657b194f3cb8b0b29

SHA256
fe24f7471808288bbef16ef06b4d10aa4d9c82064cf70b56cf9ddbab669ca0a3

SHA512
3e94b09480ec1b676f8efdd4f594cd0b6cd6a5759cee684a10a06026b58edd3f148bd3d6e586a7d979479fb9ddd30885bc8015a4365ac44ee68d394a89b7127f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74b4f353f5a761de4405b5b6d8bcda16

SHA1
fad23311b59c04ba84a37b0f071b8c6fac2e092e

SHA256
28a3dfa1ab06d037929d88a8d5d552e0241ba596cbe36def6d46baa2da228a82

SHA512
702bac53f2ccfad126d7bb01dcd846a28c594af67f1ecffb5deda729fd42f56b164ecb9a284c70a9de4ccc5f74f515bf4f6e34ea0ec9b4f99b2aabff7274c97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8d5e9369a092b7254b793a321ca988b8

SHA1
2ef5f3a369d651cc736f9fd21c73329a8d8bffd1

SHA256
1ddab3b418101668a83a5e95d90ce049e3dc86fa56d734e2ea05bd3ad7f5e35f

SHA512
02833dbf84439f673f6d42594cb9faa4a840c7775fdf81a4cdcda13c9818006edcb8d2f81a59a7747969b8af45b386ea0cd45ebbb249636ef2872570629b4d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d11f2f28c110d04e37b87802811717b9

SHA1
51c1e3c02da972466d237670549f0c009c9b4b9e

SHA256
f2861b330866aa9c0ca24ba67da54b2231f26ee66c310daf186014bfb88ae9fc

SHA512
585d2ff8de600f796215e818007e7f78bbd57cd4d8902bf58983d4e65af49cc24a848b21fdf8fa395c3f2263bfc7d02a2045aefdf0d1ee8ca3f0b3c3d934f3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
b7d6c8cca46cd2e546bfd623451de989

SHA1
1348e6b92142c0f7cd2bec0863f6cf439894874a

SHA256
41f6997952e169b79ed2b93e55159f261c95ce388aeb605a32f949dc367e477a

SHA512
b7279a0669e9c00c3da407b8ca2d34121022679c2ff93e501e80abddb1b9759c4951d36753bded6b910e130efe2ed49e3534c8082884a3bf048eeeb6be669cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
4e84400bf7887bb33d56f33a185a8226

SHA1
aeb2b54421959363657790f27e14996f7b0170fe

SHA256
20a624a6eb1ee613fee38a216687c9eef6311973ebfc9cb88b201630a82e5fe9

SHA512
afef76811e196eb8af99227617e7869d7be118f6927801c5ea576d0f5f824b0d3e7b44922f4eb02fa64199845674ff599fdae0986721b8d98646e5e403b2bf51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a1984.TMP

Filesize
874B

MD5
e2f4c10db776d653cb242e532e6226c4

SHA1
51a7c6addcb94157af0dcb6e0468b1ed07e7caea

SHA256
bf23849c78090177579a129bf6c8b460af0847b94877960f9ceac972cdfd3152

SHA512
974fb5a583bb078cde2a04a1a49de89606e03000b76c8d4a0b66827caa76ea33188ff1f261fd1f7cfba6d3dccacc9381fcb0a86a3a0199139904a49d54d7750f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
089122d006fddab400be75b5471503cc

SHA1
117a51b6f411fd28f1957a718c6db3947b19215b

SHA256
354a42d9876e4b16882433dfe9c709879ef792d1e918dad22ceb251dcd1f1560

SHA512
a16b311b9c8d5e54a2a297498dbaefcb19113f009d6e6f8873e6f8f38db0c343ef6bf51fe92b7d25c66b47a61565afa84a22c22f75da804ef8e5d1584b9533e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db2b386e684b37b600257195bc08fb90

SHA1
aa99a5e9375c8a2e2cd841787f310083336cf532

SHA256
8b8114b3725e907e43e4f4c3e65e4b43024d1f3e1f7cfcbd46718ffb357b9824

SHA512
f61740f69170a2955471cce2549fc9ddb2f35915f657a4c127a73f3ced7cd03f86e008155deef8eed1f5bbcaba9460fd0ab0434cfb2e8393e918430de1c1f9f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fc890d6c87ef49e17ab35fceab6e280b

SHA1
88b4414341058803fd49033cc14c21e38351f261

SHA256
408cecac1f88ba4fe6d071fafe68851244e39de126ae677c0a1a2f50f70548c7

SHA512
df375fdfe899b12684bc315c7d9af1b705b41022b5d51f965b6dbb6573b3d158fa966aaafa06b82159ac33eaa796f682196156700daa244131f6784871ab95be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
98ea3077ecbae77c9d10e58f882833e3

SHA1
7fafa9f8d0913fea36063016c986549baf87743a

SHA256
ed27ce6569c9ac6ab4ca285b9aadcae54183b6e1d4470018d391645b752cc6d9

SHA512
a6629745226d7f962bd4529604f031b59e836c638ce52e7b387ddb14b9ad1bf76aedf4dcd2f7070a1273199eab7e953365995db1ee48f8f0dd78e2189cd60891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ef8feb49ac6b77dd83bc5b2cfae2c147

SHA1
66fbe4465fe1c9d110fb667ea8bc6167a45ba482

SHA256
234358cd41326349da0c6925ec041c907388cbd36c6e89320d2f3f513455c942

SHA512
5d9e52566e7e70c93e98afb8afd6c10692bd634e68934fb2903d22d227455fcae1312573f001e677521f7ccf0728315ad63767dd61a77d14b8674a475ac9e175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
1234673bf4a661499789bde3e3dd3b7c

SHA1
ef4023cb63a5cf69ce7e2f12e78e9d94a3f4ea03

SHA256
7e7a3a2a831ef120f5d13aface944f963113a595c2ed32de6587b4401fb0294e

SHA512
e730b8ab3b2fcaaa68978eeafea511b45e74872e45ad23156c466ce1a7aac4d9207cb406a677624fb7a51f24b0659c65327795976c0f2f76d89abd6dda8469fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
437d27cecaaace542749378ef8ceb55d

SHA1
44b49bdb9ba59b85bdb68938c62ae66df40a5230

SHA256
4337bff590d06ed19821f991b57c7ba127340850da32d7aa69f3cc8785540e88

SHA512
135952268906baadb5d02f1bec0f63e075bdba0b79f1bd28d19cd8ddffdaeebbfcdb670b388e9ccb924ec7ecd2aa9eca04b6b3c81d95648a99d69af6f7d1720f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
364776033b824c2c203aaa0cfc6c444a

SHA1
65f5c7c9f043943c384c7a1c1a9e3f0c2a68a698

SHA256
6d393971d068a1f99e0fdc9b1d756e7c1a146630c09e30df0b8cc8a46b653679

SHA512
d305ba39c1f6bbf02fecc9de1f0772075722ff4ed560ff48ce958085cd47c2bc5ed35c6804917dbc12e8995197edf25992c791815ee8702728873241beed798c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5b1b2abb777fa8b907fa1cc8e7429741

SHA1
e63082555d978b047b0051aff260d56f80a82c4e

SHA256
5aae5d29f175907d4250e39f91cf0c450574d98a4e2fca26d9495f46abeb8cda

SHA512
9f78f258af9b7b03b6c6e410cb35f7b4223e7a6fbb0e53d6af2b9e95e2c526ed6cd05d5365b3d070deef36b26ce56eaa7c5debd27badf722bda77db41a91f588

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wezjnvha.bup.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\LICENSES.chromium.html

Filesize
8.7MB

MD5
bd0ced1bc275f592b03bafac4b301a93

SHA1
68776b7d9139588c71fbc51fe15243c9835acb67

SHA256
ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b

SHA512
5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\chrome_200_percent.pak

Filesize
229KB

MD5
e02160c24b8077b36ff06dc05a9df057

SHA1
fc722e071ce9caf52ad9a463c90fc2319aa6c790

SHA256
4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106

SHA512
1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\ffmpeg.dll

Filesize
2.7MB

MD5
bf09deeeb497aeddaf6194e695776b8b

SHA1
e7d8719d6d0664b8746581b88eb03a486f588844

SHA256
450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080

SHA512
38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\libEGL.dll

Filesize
467KB

MD5
3a5cbf0ce848ec30a2f8fe1760564515

SHA1
31bf9312cd1beaedaa91766e5cde13406d6ea219

SHA256
afef052c621f72ba986d917a9e090d23a13f4ab6bc09f158eeb73fd671b94219

SHA512
bd5713e1d22145b4cc52f4e46b464f443aad6f783a5793268e7d9dca969f27b70e706eecd54cb01be1c94256e6a95864c6b7e50027cef7fa870cdb16820ad602

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\libGLESv2.dll

Filesize
7.3MB

MD5
c783045e4b7f00c847678d43a77367f7

SHA1
7f9192ce0b23ac93561aeec9d9c38daa3136c146

SHA256
3a39137dcee6cb6663ae9cca424b6b05cf56c0ad7e32fb72cb94549ea9dbcae8

SHA512
64e6d4fc84f1217ceef05a22ad63a6618ffdc470b1faf4ad9e2d7bab59e9285527b9c5fd7ea4be673a08b9466434e3c098e839bf6955597e3d8aa0e80589f4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\af.pak

Filesize
478KB

MD5
9554e414159d76754147d7e185056094

SHA1
e0fb0c95cef8e8d1ebeb11a6e2ea03b9067d799e

SHA256
f402c0d8494c9a2fceedcd7845ddf43b62e7d01ddb1d9c8e132efea83b724824

SHA512
9e8b41f69605d7bd426243e49b0f22347b211f7d13038ee6350d86d06cc7274bb2ef1918e27548802a5437903a653d86fce85338fa97f8c9642c0e74ed59ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\am.pak

Filesize
776KB

MD5
92ffe73f193d41c5a90303955b2da67f

SHA1
1d4136d8bb752da2834ebf0f4f62de56efefd78f

SHA256
325dd137903fc0d9e5010a62a314d9c6984ff82afbdff2254f7c48bd03dda06a

SHA512
6c4f0aac10276ab84ec4e63ec9ad0e20a1b3ce9d2368ec966cc6471600c3d28df8f9e501b4843bafa5bcf2aab57242559ba430d58853180ea653afbc8f468e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ar.pak

Filesize
851KB

MD5
7608398c66cd0b55396f7250b3c8747c

SHA1
7e8417dfc7055fb9ecbe7cfc97a8aba0bd5a0e13

SHA256
3bb407fa588fb801ab241e8dda018461b54010a38648c3acc1e3550c0dfbd75a

SHA512
5dd757e4f114782eab9ab8cadbfe3179ded594285b3d0f7f6fa5ca50d80d866e7c8ff6a1f44deba8bdf09c04106de635c1da22597c008023b1fdf1cc747b6f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\bg.pak

Filesize
885KB

MD5
c80a2008d9f61c182430a728a6e059af

SHA1
2f2aa33573156d9939e3fc81f8d81de4aac21e61

SHA256
5947f567ce1f4ab945dc6dab1599422d412f4417b9097905150d669122e43f7d

SHA512
016ce835b6bac4d5b38d72c0b3adf4d6b4e0ac04677d70c53e5938acd28b12220d2878bca7875471d008b779ea6ab4972a9875b44304e867d0bb5e4318c0edc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\bn.pak

Filesize
1.1MB

MD5
d179d38e8b9f7e60a943e2fc9f9471ad

SHA1
8d109081959d194c82b89fb25a514a65233435a7

SHA256
a45279ccc13390e0d93cfe1e33a7f276a5d9e97f6aefa6b6e14ecc4289703bda

SHA512
fa6f3e45f40e1e48f191e4a65f5d15dabd7058af4537eea3e34998dc67dd250b00e52d1f07b10a73a67a15aada4523e50f40160d98a5f37ef4684a30ff338468

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ca.pak

Filesize
538KB

MD5
bd846046383d64073da6eb192f5cddb1

SHA1
6dd4bfb982101ecafc14eb35834caa1fe5b1e3f5

SHA256
1dca9a7fcd850aecd48288999b436ff7e70cd4a96f47b40319759a800fb8eefa

SHA512
521ddf6e8fb444b911212501825392562af14cfb5b31a80707fdeffb13c8afb04852b0e3f7e3363a1c3a37c5c35bb1cbe84b458e14e30b5e8d8cb00a6a349ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\cs.pak

Filesize
555KB

MD5
926b4d7f540ce0b1912e5fb6383dabb7

SHA1
a7adbc83ef38092a90d964d61359a6caa1253090

SHA256
2964edcdcb27b2edf73515615501d8af28ad94b5dd31d2794f2624808c74de38

SHA512
bf6160e46eebf16d6b6f05d330068fa226118457ff03277b59ed4e1a6d2d28b212155cae2f48c34adfa81d20ff71e4206f25052257559f4768323b342dd16278

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\da.pak

Filesize
501KB

MD5
c54edb2260d2b907049cdd4772d5313b

SHA1
a12f623e6310b667a9c38b4c9143920d08564377

SHA256
318a9ec9e9fbe35d5d8cb9b719ecfbe1ecba9d8f246876c949c082107b439ddb

SHA512
4eef045080fecaf55bf2cca7d72d039b7d7a7b28021b649becee320a3a8c0753f4e0e5f869a188813e746bad05fd08c726b5c25f40ef9555967fafd93f7f6989

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\de.pak

Filesize
536KB

MD5
5a252c49719970b8fb33fbc8ec98971a

SHA1
931834866af36a9e25582a1f631a8cbc965a8e84

SHA256
d5746f48800efbff7db9d1bb8d6e5a5102eb7d79ae136e0485fd427be1ca63a1

SHA512
d4e6ab68d0b1a564b886c8bbe60e7bf67c3f71e6fc70ed5bfbb63a974f72afce62e03559f29f46a424908c256e990ff6cebeab8fddfbd79f6deca997cf7117cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\el.pak

Filesize
971KB

MD5
35ba1b364ecfff6486daed2a33cc6431

SHA1
b894b392d400fde4d35bc3b4edc130853cda340b

SHA256
c0434492be64b08f9ad00bc7cff65314822406dfb0c591fea0df6af9b6fc89c5

SHA512
5f5d2cf1d5c8158c62fe310338bfb1c9683ea2f43726c9f02fe6d2c29482e3211fd3d61a30dc0cf738549dc7047dfce0dbac36b9d22dfffb558f118fdbb3d856

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\en-GB.pak

Filesize
436KB

MD5
a44922cb4cd8816b9ce3d018dba9e6a0

SHA1
2ed3a8bd4a11bb89d3699f583372ad7aecc46ddd

SHA256
e0df967ffdf872f0a9589a0d74d68a742fa9b956add7a6736b82aebd9e8f02d3

SHA512
461b04a170c562382f6c1022f881db9f6928a36c962a2e3aeabee62dd4c46e08b59ef33a2d1d26af21dcc47d00b0c51e10b43f14dcd627f84104ab4f31a9e526

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\en-US.pak

Filesize
440KB

MD5
731c45f9f23957acc11b43d775758aaa

SHA1
12e66417a2dc0c5211ed67f026208ef02fcb40af

SHA256
02b97817b6eebd7caeaaff750f6462abc68911c398ddf0571b7900ff9b4ea9a2

SHA512
1a008df585ef76d9cf4459fc3e617b8d4397e7078c77852712fc7cf4f304081bc5195243437e64074016b05a8cd671db93666042e59b959595ba854ceb330a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\es-419.pak

Filesize
530KB

MD5
763f8c8ce092a3d64bbebddf4169e108

SHA1
89f2834c1b4e3f84870af29650bda6fe360350f5

SHA256
0c816f00b15d59809d30b6611aa455ea1bf8b022d2f887137f1c9d7a5600d5d9

SHA512
8401cec52e80a5136543473b317f0e2d920008c83b9667605cd0deb9fa5f933deeda0aa475b436520001c6a7c91118a4d9b11e28a9f4b31271662780e678dc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\es.pak

Filesize
530KB

MD5
f6f452e9fe45b56b489b2e99c99848d7

SHA1
c64384626ea966d3a24dfd4d6c2f42c1cc082d2f

SHA256
54f85551269c8b5f3985a09d313fdc04c4595e5058163cf147ede049b8faa605

SHA512
f3c50308531f9654ff394cbdfdcc6029c60dc6659fe60e0326b4855a31f3eedc86f3df82a96a9e7691d12c7a69079c4abe2722f599aae29f48b291fb5a39a3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\et.pak

Filesize
481KB

MD5
97918bb7b36900705b1a53b7851db6b3

SHA1
f8cca656478c6e15baa8f344dda2704087f54776

SHA256
8021814965878c4913d1f9f9d226da49cc2a37746d976f3b84aad7fe096fd14f

SHA512
6daa8f56c231cfd7dfc17bb5d5c56afca9490f953f22c92365a1f88e995c3a1705de98a725177001bb449070c860fd1c843ee0a499c6dd8321f2e6f4cf914da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\fa.pak

Filesize
789KB

MD5
04f629bc5fa6d761f1d7b5dc28a6b97e

SHA1
d80f74a2b6508bae49b8344809062b48dc2b2dc5

SHA256
9b5334e4883a716c5616c859889aacd7b179b30ac65e5657198eb4e877700f81

SHA512
ea412096170ae29b33f3d54f17fb9f2f5a41035df56e2af9596ec7c15422277943c5c651df6b3a232aca4e979946732bec496da03b3e47e0d4629675751a4c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\fi.pak

Filesize
492KB

MD5
3acdfec7edd4d3eb473f0deb32713c14

SHA1
41fdd4af5f9fa78f4f81d3996ecafd69587f05ef

SHA256
4bf099ac8a76449bf597caf005790f5c02efd533b9a329c5fdc460d38f77607e

SHA512
b167caf1e5ff38b0c80f891715866a7754e9bf3f1479aa1faa3cf3e8ae7fe9b71a87109239750f71855330b6d20704b43e814f188672aa52a5dc6912297f1997

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\fil.pak

Filesize
556KB

MD5
89a63085d14b1b80f259e166e6ffe56d

SHA1
d1326c879a6ad203489226f7c5be08c897be71ac

SHA256
00b8cfe6131499a8a67a51dd8560a965a2abb863d52635dd3931df0479c3f5ee

SHA512
ab48fc4bc604648b4cc010a530fbcc5138b9d0a0f09398d2a69b6219799a43a052722c47dba96c9d001b4f6ddd491683c0a871c19ac2abc12843e68f9d4c2cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\fr.pak

Filesize
574KB

MD5
6708a286a0529ba7bed9840d53035be8

SHA1
af289ed518d9d90c75b69a870615e3f475c5d0e4

SHA256
7169684ff44f342b98648839b8963916f7323115dead332c2471baed6264b80e

SHA512
b329798fd85eac1505d0af5cb827ba11a5850eb926be39b414c40b5fdb56432db5f3dbc45237510bd4d1174c1cd62f623c6cc8ab10eb0ca51dea5d5487f0b0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\gu.pak

Filesize
1.1MB

MD5
ba34657d3f5ebe61b36a807c4a053d72

SHA1
163875c4ef39e3473d9d5aec4b6273f34a90a02d

SHA256
8c762963cca8eef2cbd39bd7bcd8b809f3b57a75353e687743894add9c19440f

SHA512
cb1c4adc59c3e99f819645ae84e3e6b601b340e05ae2182c0b1568bbbcd3eabf7bf09ef34e5d0757530997d0734dc52dd744b8b0edbb3702a3c06e29ba7f0c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\he.pak

Filesize
691KB

MD5
c47322869b458a1cd231f3dc385f80fb

SHA1
4155444dcb69c5b64711139cadb32a6df95ce3ae

SHA256
9e5544340da0e0aa28298e68765716a3960a28e50d86146b5324fd70fd756b41

SHA512
ca4664a9acbdd5896c6a0921e09d99f1a7ce3d7a80338c1a4310ad499a5a2cbb60ca074a02fcff128789da0a4cf82d3869f83836ae3ae3171085e58d6155fb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\hi.pak

Filesize
1.2MB

MD5
6d3ce5a6049eda31ecbc55a9d3abb163

SHA1
100afed265c77a20f6636a0ab48c8a723e30b087

SHA256
8dae029a489f1bd7530650a9cb1be1f03741e1d7018503feb3c78759da8af531

SHA512
3668952ea707da9ee8fd3753c04d5dfbed97685b76dcc75dcf8d6a3699a832c3ff0db9cd40810f6ea9364f2b7aff4b1cd68980c74b59808fcb4900a36d933bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\hr.pak

Filesize
535KB

MD5
2f7462a076c14f2c2733a41dcc5ecf1b

SHA1
c453dbf62d1cfe85adb64ae374b6a79cff2ef97f

SHA256
6dcc7d5d771475874471b78ee84db0230341f8634f4b38a9cb90c37226d70b00

SHA512
f1df750b779c908547a38b49bae0ed8734fe37cd96d3502186926e6cbd657c248c528cf9944353dfd26695ab384f17f22f0bec251e65a20906da4d67852cc516

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\hu.pak

Filesize
576KB

MD5
f55e37076460b2e8b5ed0f414618d256

SHA1
b313287de6197f1bf9f9770e3d2c99e70c4d8179

SHA256
61854ab102bc57a7ad7b85a4fa008c3f071306838ba1a0491f68c19153decd49

SHA512
e8121a064a3209878f24c33e9c20c810c56aa15476909de1ce076c80ef635e69a60ac655b7714a116951de5b99bb690827edafddcd5e6b00ee6310807d78ce58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\id.pak

Filesize
475KB

MD5
260d34aaada70c9d491bfbedcf5ca8d1

SHA1
5fa83a3e53e6aa9eede9fa34a84eb55ee8493314

SHA256
64a8a25717ffae1855114d84b02223ad5b3963c1c6a21c826636146726d0a8a2

SHA512
a19ec6fae22689a8f851c1a782eb748ee9f38dfad89f05291c01a6070b24a8a02fac4bb4a441421f411966e8bc08e996900871d498efa307ac1793191710ebd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\it.pak

Filesize
523KB

MD5
cfb2ddc4caafd038db00c1e7378d316e

SHA1
2573f32a41735efde916f0a73b415ca689c0dd36

SHA256
9395bf9a547561df6cd20d8e076452369cb72184f215448d1acd802dccf3a47d

SHA512
8a02ca980a8de8af8b179d610ff25557f81f67bfb5a9f82511641ec87b378a2ab7214d5ec681797acba1a865bd726cb9c5f609647ae6ee71a393b7e16fc06f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ja.pak

Filesize
639KB

MD5
d84e12cecf6e4355933ed68816f090f6

SHA1
eb35ef52f341442dd887d43a52af7f02926d5288

SHA256
8de18410e38f4036367113bd4ed253a4957709d87e0aeb11134742bc89e16d62

SHA512
9dbe703493acb7b48ee1dbc4458ce0b9d757419e3fbf01379bc8dcbd22cc30a99348f7cb96840c19e873d6d97bb4d1a3baa4fcd6e0d332480273020a6e13a375

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\kn.pak

Filesize
1.3MB

MD5
a4cce1cfe646eb2c268493603dcb358b

SHA1
aa19ee1cdf8776d07bf35614ff063aed5a798ef8

SHA256
01250aec7310bb59e0e847382325f940ea2cdab00369c1c7efe2f340d01ff806

SHA512
cecb7794a288e879324e74e7522bee61a43072ab58a289b686f1d48d98fe9a0d29a5505b8c891fe411b823c3d8366d6c1cffbcc1deffa6c7d3a04339a769dbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ko.pak

Filesize
540KB

MD5
c21dde26f43530135ef37323b00dc1fd

SHA1
a118e9713b155bd2999f04c3075f2e1bb05bffaa

SHA256
ff88b56be0614232947bfb07e6beb88327a18ebec98cece17caa9b7cd8e6dd24

SHA512
0db144f03992c41c3703719e985183a6ec988265e5a629d09bf683d9b208656d605565d6b5597cead909c814f25ce200739e65b1327172afe10d395a5018206c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\lt.pak

Filesize
580KB

MD5
93a0a8181e8c251a2375645a552293d6

SHA1
57faf2e9f965a49d5294cf9759b9b50d87c2ad1d

SHA256
f87b2baacdde69b2b24dc7859d47bad0844cf4d275072812aaf4eedb10318450

SHA512
51e1ff74442cfd51fd2fe218755335ed99e4850c8266425b8d55aa0abde2712ab765ff909d6ee620268ade9d7b51a93be659d6a52143da2abf4ec309bbe9f2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\lv.pak

Filesize
579KB

MD5
07405dc51eddde72e367737c093c20db

SHA1
c66b8eccf167060c43b3c53631fc0c95b3afe05d

SHA256
dbc860a35ad08e4f502b8784ca1548110d3c7334478f6c392db42f52cb3074f2

SHA512
98f276fc137d6592cdbc1c804dd59983e290409bf7908137627ab114ab485e332f568d28c60a35d1dcb3d9753c2d1740065c654396af5f56f0dd5e1dfcffcf71

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ml.pak

Filesize
1.3MB

MD5
70c0c80fdfc006be0ff502e0e6115b2b

SHA1
43f96be4652ecbd22677b18ffe2260b79bcca19c

SHA256
878e268428ec7aa51105c921740931c545d4ba6a274b367c52675c90741d23bf

SHA512
c463c5d91b3cae6b2c70ef6b7e3758bacecbe76088d813e2632bde7939c1fb28bad3cccf914a14861b8611a490ea74ef2d8d10e7336b203d12cee9904e8f9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\mr.pak

Filesize
1.1MB

MD5
fcaca3a4264563461b42b16d8fde4b02

SHA1
af37d4e73588d4a6d3d52f2dba67414393c9b168

SHA256
362df1aa112a0a521617c0496087b3547a242eb79a5416b8414c5798f31e187d

SHA512
9114dc4e7da2affdcee5c86b1f1f78e47279c31d0f76c8deb1eac545e0268b9592463bbe1a4b433ff4fcab1ad4a596655b775608515bf7455fda550d3bf47b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ms.pak

Filesize
498KB

MD5
578dcc1aef901d00a57f2698a6e15826

SHA1
4dca370c3b22f9f54a62d31166a84848336a8fea

SHA256
e5e77421c5fca5b1eaef96fbf33c345c63119015986163cb43d65075df6265d0

SHA512
073aecedf4132faef7e896e6840bb6297e866a06fd65a7490f0a61179013f27b6592a4fb2be91cb5e139c77f6db7695bf60e5788154e51c9ab7889f6e7040a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\nb.pak

Filesize
483KB

MD5
c2c49ebaebc448cfeb7933ce2cbd6ca6

SHA1
c3efca0fee40a3daf7d69768d7659de60b3e2c4f

SHA256
67d997fff8a24eaa030eadede7f5345fff5e954e96bc8f36d399839bed998774

SHA512
c500bc1097ed9077742c5708bd55dc4215c45f751522131b8203d7ae802d278ffc3a9ef607325bbea5b650d594dde0d74e7fa4502e1a0f905534c32fa1521bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\nl.pak

Filesize
499KB

MD5
9229e4ded3219c948747a4dc9a6a5e32

SHA1
9147b2f2ac3837588aa3b71eb4a255d29cab0e74

SHA256
d88b02d74e01b9350d3ac9c48fe08333ca9c68e3e3824d64fae86c5b8b531feb

SHA512
8a81cefd9fa718b18de87555cb2d5c8e87ed14921fd3a0247b47988a1f3896d63b16dbf86fbf103097c73181473c37393c0f4e9e0a07d95d847aebcad526e8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\pl.pak

Filesize
557KB

MD5
ab94060826404cc09d5fed31f63cec05

SHA1
20d1cea9d2e60b9bbd4fddb38a652856a3561008

SHA256
03258ecf731487231cc7eab8f6cb96e92b7ede4cc5b63c3def6ba08e0f16da10

SHA512
a9ec28912bdd2b8b1e1b3fc4d5c76139253ee4ada8f0d562ecd611d7366b0cdc97c379c5ae93c9db69eb045d8834cd0e1e0ba84813ac0071b5a2bf6cea81173e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\pt-BR.pak

Filesize
524KB

MD5
f18cae95b8bb6760d370b435235c5629

SHA1
eb62bc4249ea8e5688c67aa65bfa2b628fd5e1d8

SHA256
952234ef1d2792204f4e65cc814e9fc6dc007610668ceffb980c74fc0167ba0b

SHA512
218e9e4e59c875fe7931f16e6df877f67b8466a5e8a5565a1cab0f091b40b0652eefcf205536f5f4b8697966aa201092c26249142dcd8b40e055529e23ef7819

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\pt-PT.pak

Filesize
527KB

MD5
4aa908b531adedb0ee795704ab72e248

SHA1
2ea9f4a7e561e70b06b675b3fe35ccb0f2a12fca

SHA256
72ca754dcb34c54b72087ab7fd5a4a3fa03e09cd1ced906d99d6525c7a19ee9c

SHA512
7d4a1add737136acfc7ed7848b0ee54646d5c8aa3a54addd7cf0340ebf42b58f6ce2eff56a2ba94125475e7b64989d06fedfc8b1ee41ece63b18b1f95686ad08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ro.pak

Filesize
546KB

MD5
36f8327b36f2c6c003f864895968af2f

SHA1
248d88aa9fe46cbcd013ea7d7270f8483215c073

SHA256
6343589863bdd2ae81ec9c33e335048fd8792d2c2e8872f91f7a325a1f0d97ac

SHA512
bb03b5af3ddf676dadb35d5b94f40ae1c95cba2e7175c87d128c319e0055dd91f412883daace89fa33a17b9761f1cd7bccdf261b16ffadd6e10da594445c2c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ru.pak

Filesize
897KB

MD5
a0072d84d1bcb2fa7bbe7ae4e06151ba

SHA1
b9227c6cd4ff9f6db6a8edf694c444beccd369f6

SHA256
8c169d6995d97feae8b8ec947be27697ca0ff731b593fff36163e4f31969a6fd

SHA512
fad335e81a24427f2b0a2853733da94c9839139a7982796bf742eacba306ecd9998914bcac49b925d5bb18953091a4dcc62ea6a628fff125c086099cfd33e3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\sk.pak

Filesize
563KB

MD5
e9bb6352cdd0f1c2fdd543a48ba076fe

SHA1
50053620d7be5566bb3ee588feda1a4daa207672

SHA256
441155d63257beaac9e2998afa1a9e65957286ed1cd9e0670072a63e24ff3f8b

SHA512
c1f87c7976159c8ff3e28185adcabf93d47ace0dc9b95fbaa4d1e5ed9ea8257263276880486a4c17a68a5869e6ec640eaf81f5ae6c4481e351e73e7b4dd9dd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\sl.pak

Filesize
541KB

MD5
299acf51d74b95ae4272730c437763aa

SHA1
8a0ff73f37d830b6677e514371a5825631aa455d

SHA256
26e29cd70c4143d7e9fb65e86e02c9173997f2fc062633a5edb2b7df55942157

SHA512
d7d298a4eb476a3cd4411261058f6f9409d0dddb3756cdc1e27e64280efc8b84fe40afbd92c754d56f58ea333623b0481766320b5969f5dd71f0c2a93be8ff77

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\sr.pak

Filesize
833KB

MD5
02bdb4d99bd466eed5fed3445560d52d

SHA1
c24e1895145b3066840be0d349f5e866e46e2a39

SHA256
ac09005a83d4ac8f61855c7e301e48a753d2f3558a04cdb94f23b539e2086e54

SHA512
fac7bcefe31f41b6e37f215f271b33ab21dad281c1b0bdaf28769c99e31bccca625f213fcfd7c0047b3e2104a8f51b2ebc5fb374b32f58ae22c4130e315aee1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\sv.pak

Filesize
486KB

MD5
eb39645ebed4f980ab12585feae2f4b5

SHA1
fc7c471b93f59bef13f7bb4669e683385a8b9dec

SHA256
ca34ee1c147358b5e32b5829acc0c355708925dc8df91c21d8e495c7485fa5c7

SHA512
5fb25d7dfca3483967a5262d2c62b5d37a192f5a7a19dcf6722a9a8753e299e567bf7f26171859c374c8d035bb521fb4eddc4821aebf9ceea1253c63e1595c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\sw.pak

Filesize
512KB

MD5
e2958cf2ab6cc74551c8360e6cc34333

SHA1
806aa1129f228ee48744cfa55d061149b37522b0

SHA256
51482431411be2d89bfc026b9acf9ce1a0fb971376468a47829a15392b47178a

SHA512
1f5f306b7233279800d18fa461f4c94ecad809b2bb7c292fce16abcac2e963f7567a86e43a3c950fc86bc73b4fef8451389fc57ac6750fe7546afad8ae00f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ta.pak

Filesize
1.3MB

MD5
474a2016df48f886e91fb9fd331d9bf9

SHA1
2548525143292d7d150f5014b44ef294ba7c4189

SHA256
75638ac7fdb226c0840d5c2edf763bae35afa1f47e89199d9724ff46c003a2c2

SHA512
a4c2c2c046420c77948a0479cbd2be3aa11c1b347eb508d020231eece5cf0c2cba8d4f6a0e9f875dece4a16413157fd9e9f1cf09e1746335eb11e8f8590cd013

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\te.pak

Filesize
1.2MB

MD5
1f20952c1a61fa6e42a7f055de8986ea

SHA1
301ec89ca80695865d884927c4c07c6777fb321e

SHA256
caeba6c853a0ee12a802fb9f610a95c676071414c1d8407d18b05f2fe8ce6bb7

SHA512
c43f5316dff21cd08f86e0d3d7c407449cdc751ff466683dff9a51e3a07bda203e8e22064bf240726e6e389b661d6dc2bf5ed5dc42750539990379e513228d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\th.pak

Filesize
1.0MB

MD5
7512a162ea0b65dd9477ac8c190136b9

SHA1
ae5fbce9516882a0d58da9ebee3c767c7ba4c305

SHA256
d01ecd4edecf1809d5c2133366df2502a4621e88d894817e80b913f3a0926fa4

SHA512
425fd803cd3ed9589df5d04bb8ca4b62af0e573301d31c48a1a05bf3b707a0672e1a033965946223e5873a98eb3c9d52bcdcc1296a08cb4971d0b1b6d2e95eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\tr.pak

Filesize
523KB

MD5
4727af70df9094888ba46f3a62eff264

SHA1
d2ead301efab607d040c69c238a06d3b4d080717

SHA256
026fc65ed90fe356ce2b5e2b459a4487512d89e48f0ff8b044d6739ef51c1658

SHA512
5bb8dd6ad100581a7e0cb87b57e054ab23551c263144f7ffebf729b2280a1bd95e92eba9c64b80e2f77ce59c3c4315ba2b5253ac83dbb540828e7a59a70e74ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\uk.pak

Filesize
896KB

MD5
7f8d31b43f7319164bc0f6453bbaf007

SHA1
4be254da0ccb13040489403cc2d8015f448292da

SHA256
e33b1a611feca93d105dee7c867521b5fbf27da38532ea3ca0aec61bec7f6108

SHA512
9569bd24aa5d2f9b0a13784f5f3d98e636f72177c7ff7a14c7d390f1d5f0b39ffab512276f70e4d2df0d37fba94a2c2322a840ba303a4cde33ccb20f7980395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\ur.pak

Filesize
782KB

MD5
305d39b5de5a1935d786da4bfc736dc5

SHA1
8dd952fea4dae937b9f87d229638cd22ca197a8c

SHA256
b551a93a300ab78ee6da5087ea417584c4fd3941fbac99c84c9c58be2c88a7e8

SHA512
d75ef12a56c2dbde5c7a1967297270f7d717a366776f6b2a316784f033c71fcb9d25dabc857398e8459d8ac40aae1bae59e82f551e00e9b96bfbea00a54fcde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\vi.pak

Filesize
619KB

MD5
593d33203c539d027c5b5bcc13bb38c9

SHA1
2f6288bc43ddf31e49a733af97e3e9e2fb8a2940

SHA256
d435c4c7154c24982185842a09cacd343cea77a5eb7fb859c4d38973cf240a42

SHA512
7c41c74f7220270da242562b93db8db053c0a7b08fdc1864d063706caccbc6926f288ae6bff1de43af656af67fcf2d8ad57f53d791bbc47a3b29a6a0856a68e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\zh-CN.pak

Filesize
447KB

MD5
156894db535f0fbe193d66c0afb4b112

SHA1
e347caa3c41ea7461c217c029dbca54567fbe27c

SHA256
cc5a411d3bf0ddfba9e5041dfeeaed70265ba949f7b7ccba0170b88e3e14ceb0

SHA512
e81a0968598536e91c17a1998682cb5fff42bd3199c41b64e2d76827c96b187e8f86182843c061735dad2b7cd5e32750e473c1a5f9c82bcc0dcc30f1bdb8b806

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\locales\zh-TW.pak

Filesize
442KB

MD5
337bba163068f2dd7ff107ea929c8473

SHA1
536ec5756f229696dd6f875180778afcee1966fb

SHA256
58753d4313ed7f548df16a9cd9aa1f0e30cebee675a76b8359ed23fc95825574

SHA512
000b98249d7b0e4c7e463bafdf827e3dc5afac447750320d6344c984f4ad41cab5795861920525f03dcaeea5aa3615684101b08bbc103d3ba01065676c8bd64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\resources\app-update.yml

Filesize
106B

MD5
b0e31c54422860c9390a2e456d8f4624

SHA1
1b73cc7e00cbcae94a3ed921fbd055a393dedc0c

SHA256
897dac554968a2c49044a5e601cfcaf7c24d41599a58c03e91c62bd664b60ecf

SHA512
561cff0a281e073b0b2e3bc139a18b44ee1e2ab147d99ff007d5deae48c0c4c847bee4e14ad2e36abb27f7d9240f95aee7fcc9987246c717ba48666f550cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\resources\app.asar

Filesize
7.1MB

MD5
8bcbb3a116b0035d6a5621f6ce6d4ba9

SHA1
0f974db0d87af4aff602a410e7f09e6821f30ce7

SHA256
f975415a103c1faa4c7aac4f31868c0e408a24615bcac355e3f7640046df995c

SHA512
463fbc355f8fb4268417acc0e82d7774894fb076fdce5f6e3b59a7353f8af369e4215cc3722b34cb1936ca849173912d05e2cfb01a3146b1467239dd2a424c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\snapshot_blob.bin

Filesize
298KB

MD5
cadef56f5fb216b1fbf7ada1f894ea6d

SHA1
373d2a4266be5c8fbf61d4363ec47ddeb2d79253

SHA256
0976145cc8c02f3e64ddbf51dc983bdbb456be7fcf3ce54608e218981671ac12

SHA512
9c90e8943f9ef6d644fe0fbe55ab25ed371739d17da8cf973893a2e41ebfa0a92bcf1761e72da032f9f3d1c6f1080c62f856aa07a3cbb609c9e8c186f92216b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\v8_context_snapshot.bin

Filesize
663KB

MD5
81870fb2f641c8b845e9c6d1a632f0b7

SHA1
fcd47d8d1232c189a1c4087bb03a015ce14c25ba

SHA256
875515af4e7254458c17a98bed087fc609d45fbc8ebf60663e112c37204f6840

SHA512
7748c8fb6f356aa45023a56245c43c5171d0413617fb1ac6c75650be75bbe94bd5528e9aa83cd9df9a08af65540a76ab59bc866e5dcf0fa7284122f290bd45d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\vk_swiftshader.dll

Filesize
5.1MB

MD5
0a071201e4dd76996e273c81533bfa74

SHA1
5c92c634027692c344a8e74eab8b4d5c3e049497

SHA256
08e34bc25653f9357a4ccf62966d698b7cc6265dc668046a28403ae5786132ee

SHA512
b5de6548c5c743b6f119183fa06aaf67dcd4cdbc3542378ff87916b670ace1e2f4270f6dcaa4caabd01460c638bd02b565267e7bd9617ca92d72187d374bb7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\7z-out\vulkan-1.dll

Filesize
932KB

MD5
a6588e66186ccf486eede8e9223f0d41

SHA1
777a5c4028c7675ee1fc4e265a825b35d5099577

SHA256
419488597ea255ec61f028aeecd36572d072dfe49b7ab716cd2c0a8e186f24e6

SHA512
ba8b9577f47ac5b9503aab8d4cca6059c7208bf0eb37999f4fbef0c2cf03032a9359559a0221f332c6cd66c38366fb0e1f1d32173f282afd639fabea8fc9400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4979.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
967B

MD5
2afa36ad7b08c47546fc099eaada94a5

SHA1
0190a1b8527a4904532a19f09b5908c606b0fb90

SHA256
45fb025065ad453796a0698200405bc1fdae8989daf141975d104414fe74b8b8

SHA512
430b5ab7531ba90e238a5d931ab7e82dfd57e6033c3c7b50e7b5ce7253a54b49554ec107c85d08c16e4b0049925b6a6d5ed95fdd90d7a924771559e4bc7625b4

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe59babb.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe58cc15.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
memory/2964-1067-0x0000026265170000-0x00000262651B4000-memory.dmp

Filesize
272KB

Download
memory/2964-1073-0x00000262651C0000-0x00000262651EA000-memory.dmp

Filesize
168KB

Download
memory/2964-1074-0x00000262651C0000-0x00000262651E4000-memory.dmp

Filesize
144KB

Download
memory/2964-1068-0x0000026265240000-0x00000262652B6000-memory.dmp

Filesize
472KB

Download
memory/4596-1062-0x000001D2540D0000-0x000001D2540F2000-memory.dmp

Filesize
136KB

Download
memory/6680-2393-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2403-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2402-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2401-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2400-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2399-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2398-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2404-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2394-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download
memory/6680-2392-0x00000163A5A70000-0x00000163A5A71000-memory.dmp

Filesize
4KB

Download