d8f1a8ac9b5e70f9c45bdfaadbebf58531d1b9a3377e05d53a03f34c15503170

Analysis

max time kernel
63s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

postinstall.exe
Size

78KB
MD5

6a51174161805d1ab3b2266491977262
SHA1

7bfa58d9d08860d10b785aa29c15b771acea97f2
SHA256

d8f1a8ac9b5e70f9c45bdfaadbebf58531d1b9a3377e05d53a03f34c15503170
SHA512

2a46dc3253116f6c29e0d1fac396cdad7c9830b5aaa8e03b4fc818731b8a4b477f7a9da7a69d001c8ae86af45cc3cca8c5566fca32b8ece6544afabd839d650d
SSDEEP

768:dFrUDyws7COidwuGPthR2IJwCfWnq3+fZAMZSme4QJJ9WMrbtTq58VO/8Nf+4PfT:dxUD5s7C9dqthlD9uOm48i6W

Score

9^/10

defense_evasion evasion execution persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 8 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2788	bcdedit.exe
2700	bcdedit.exe
3284	bcdedit.exe
2552	bcdedit.exe
1920	bcdedit.exe
3672	bcdedit.exe
3804	bcdedit.exe
1276	bcdedit.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1532	cmd.exe
4468	powercfg.exe
3244	cmd.exe
4280	powercfg.exe
3892	cmd.exe
1556	cmd.exe
1900	cmd.exe
4020	powercfg.exe
1772	powercfg.exe
3420	cmd.exe
3144	powercfg.exe
4452	powercfg.exe
924	cmd.exe
916	powercfg.exe
1820	powercfg.exe
3468	cmd.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2552	sc.exe
3160	sc.exe
2156	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeShutdownPrivilege	1820	powercfg.exe
Token: SeCreatePagefilePrivilege	1820	powercfg.exe
Token: SeShutdownPrivilege	4452	powercfg.exe
Token: SeCreatePagefilePrivilege	4452	powercfg.exe
Token: SeShutdownPrivilege	3144	powercfg.exe
Token: SeCreatePagefilePrivilege	3144	powercfg.exe
Token: SeShutdownPrivilege	4020	powercfg.exe
Token: SeCreatePagefilePrivilege	4020	powercfg.exe
Token: SeShutdownPrivilege	916	powercfg.exe
Token: SeCreatePagefilePrivilege	916	powercfg.exe
Token: SeShutdownPrivilege	4280	powercfg.exe
Token: SeCreatePagefilePrivilege	4280	powercfg.exe
Token: SeShutdownPrivilege	1772	powercfg.exe
Token: SeCreatePagefilePrivilege	1772	powercfg.exe
Token: SeShutdownPrivilege	1772	powercfg.exe
Token: SeCreatePagefilePrivilege	1772	powercfg.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeShutdownPrivilege	4924	shutdown.exe
Token: SeRemoteShutdownPrivilege	4924	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4440	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2372	2320	postinstall.exe	84
PID 2320 wrote to memory of 2372	2320	postinstall.exe	84
PID 2372 wrote to memory of 2944	2372	cmd.exe	85
PID 2372 wrote to memory of 2944	2372	cmd.exe	85
PID 2320 wrote to memory of 1744	2320	postinstall.exe	86
PID 2320 wrote to memory of 1744	2320	postinstall.exe	86
PID 1744 wrote to memory of 828	1744	cmd.exe	87
PID 1744 wrote to memory of 828	1744	cmd.exe	87
PID 2320 wrote to memory of 4308	2320	postinstall.exe	88
PID 2320 wrote to memory of 4308	2320	postinstall.exe	88
PID 2320 wrote to memory of 3508	2320	postinstall.exe	90
PID 2320 wrote to memory of 3508	2320	postinstall.exe	90
PID 3508 wrote to memory of 1624	3508	cmd.exe	91
PID 3508 wrote to memory of 1624	3508	cmd.exe	91
PID 2320 wrote to memory of 3420	2320	postinstall.exe	94
PID 2320 wrote to memory of 3420	2320	postinstall.exe	94
PID 3420 wrote to memory of 1820	3420	cmd.exe	95
PID 3420 wrote to memory of 1820	3420	cmd.exe	95
PID 2320 wrote to memory of 3468	2320	postinstall.exe	96
PID 2320 wrote to memory of 3468	2320	postinstall.exe	96
PID 3468 wrote to memory of 4452	3468	cmd.exe	97
PID 3468 wrote to memory of 4452	3468	cmd.exe	97
PID 2320 wrote to memory of 1556	2320	postinstall.exe	98
PID 2320 wrote to memory of 1556	2320	postinstall.exe	98
PID 1556 wrote to memory of 3144	1556	cmd.exe	99
PID 1556 wrote to memory of 3144	1556	cmd.exe	99
PID 2320 wrote to memory of 924	2320	postinstall.exe	100
PID 2320 wrote to memory of 924	2320	postinstall.exe	100
PID 924 wrote to memory of 4020	924	cmd.exe	101
PID 924 wrote to memory of 4020	924	cmd.exe	101
PID 2320 wrote to memory of 1900	2320	postinstall.exe	102
PID 2320 wrote to memory of 1900	2320	postinstall.exe	102
PID 1900 wrote to memory of 916	1900	cmd.exe	103
PID 1900 wrote to memory of 916	1900	cmd.exe	103
PID 2320 wrote to memory of 3244	2320	postinstall.exe	104
PID 2320 wrote to memory of 3244	2320	postinstall.exe	104
PID 3244 wrote to memory of 4280	3244	cmd.exe	105
PID 3244 wrote to memory of 4280	3244	cmd.exe	105
PID 2320 wrote to memory of 4488	2320	postinstall.exe	106
PID 2320 wrote to memory of 4488	2320	postinstall.exe	106
PID 2320 wrote to memory of 4960	2320	postinstall.exe	107
PID 2320 wrote to memory of 4960	2320	postinstall.exe	107
PID 2320 wrote to memory of 1712	2320	postinstall.exe	108
PID 2320 wrote to memory of 1712	2320	postinstall.exe	108
PID 2320 wrote to memory of 3172	2320	postinstall.exe	109
PID 2320 wrote to memory of 3172	2320	postinstall.exe	109
PID 3172 wrote to memory of 2328	3172	cmd.exe	110
PID 3172 wrote to memory of 2328	3172	cmd.exe	110
PID 2320 wrote to memory of 5092	2320	postinstall.exe	111
PID 2320 wrote to memory of 5092	2320	postinstall.exe	111
PID 5092 wrote to memory of 1032	5092	cmd.exe	112
PID 5092 wrote to memory of 1032	5092	cmd.exe	112
PID 2320 wrote to memory of 3176	2320	postinstall.exe	113
PID 2320 wrote to memory of 3176	2320	postinstall.exe	113
PID 3176 wrote to memory of 2304	3176	cmd.exe	114
PID 3176 wrote to memory of 2304	3176	cmd.exe	114
PID 2320 wrote to memory of 4544	2320	postinstall.exe	115
PID 2320 wrote to memory of 4544	2320	postinstall.exe	115
PID 4544 wrote to memory of 560	4544	cmd.exe	116
PID 4544 wrote to memory of 560	4544	cmd.exe	116
PID 2320 wrote to memory of 3752	2320	postinstall.exe	117
PID 2320 wrote to memory of 3752	2320	postinstall.exe	117
PID 3752 wrote to memory of 2884	3752	cmd.exe	118
PID 3752 wrote to memory of 2884	3752	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\postinstall.exe
"C:\Users\Admin\AppData\Local\Temp\postinstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 65001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con: cols=80 lines=20
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\mode.com
    mode con: cols=80 lines=20
    3⤵
    PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color E
  2⤵
  PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg /import "%SYSTEMDRIVE%\Modules\PatsimaOS V2.1 IDLE ON.pow" 01100101-0101-1100-0110-009977665544 >NUL 2>&1
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\system32\powercfg.exe
    powercfg /import "C:\Modules\PatsimaOS V2.1 IDLE ON.pow" 01100101-0101-1100-0110-009977665544
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg /import "%SYSTEMDRIVE%\Modules\Ultimate-Performance.pow" 01101001-0110-1101-0111-009966554433 >NUL 2>&1
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\powercfg.exe
    powercfg /import "C:\Modules\Ultimate-Performance.pow" 01101001-0110-1101-0111-009966554433
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg /s 01100101-0101-1100-0110-009977665544 >NUL 2>&1
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\system32\powercfg.exe
    powercfg /s 01100101-0101-1100-0110-009977665544
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e >NUL 2>&1
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\powercfg.exe
    powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c >NUL 2>&1
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\powercfg.exe
    powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a >NUL 2>&1
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\powercfg.exe
    powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %SYSTEMDRIVE%\Modules\7zip.exe /S >NUL 2>&1
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /b /wait "" "%SYSTEMDRIVE%\Modules\7zip.bat"
  2⤵
  PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /b /wait "" "%SYSTEMDRIVE%\Modules\twk.bat"
  2⤵
  PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
    3⤵
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v "MenuShowDelay" /t REG_DWORD /d "10" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v "MenuShowDelay" /t REG_DWORD /d "10" /f
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE "HKEY_CURRENT_USER\System\GameConfigStore" /v "Win32_AutoGameModeDefaultProfile" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CURRENT_USER\System\GameConfigStore" /v "Win32_AutoGameModeDefaultProfile" /f
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE "HKEY_CURRENT_USER\System\GameConfigStore" /v "Win32_GameModeRelatedProcesses" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CURRENT_USER\System\GameConfigStore" /v "Win32_GameModeRelatedProcesses" /f
    3⤵
    PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE "HKEY_CURRENT_USER\SYSTEM\GameConfigStore\Children" /f
  2⤵
  PID:4008
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CURRENT_USER\SYSTEM\GameConfigStore\Children" /f
    3⤵
    PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE "HKEY_CURRENT_USER\SYSTEM\GameConfigStore\Parents" /f
  2⤵
  PID:4332
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CURRENT_USER\SYSTEM\GameConfigStore\Parents" /f
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:3380
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f
    3⤵
    PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "DelayBeforeAcceptance" /t REG_SZ /d "0" /f
  2⤵
  PID:1388
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "DelayBeforeAcceptance" /t REG_SZ /d "0" /f
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatDelay" /t REG_SZ /d "500" /f
  2⤵
  PID:2084
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatDelay" /t REG_SZ /d "500" /f
    3⤵
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatRate" /t REG_SZ /d "33" /f
  2⤵
  PID:1836
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatRate" /t REG_SZ /d "33" /f
    3⤵
    PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "BounceTime" /t REG_SZ /d "0" /f
  2⤵
  PID:652
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "BounceTime" /t REG_SZ /d "0" /f
    3⤵
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_DWORD /d "0" /f
  2⤵
  PID:1532
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_DWORD /d "0" /f
    3⤵
    PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_DWORD /d "0" /f
  2⤵
  PID:4872
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_DWORD /d "0" /f
    3⤵
    PID:3624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2928
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband" /v "Favorites" /t REG_BINARY /d "00a40100003a001f80c827341f105c1042aa032ee45287d668260001002600efbe12000000af90a1a727ddd801e62ef4d827ddd801aaa809d927ddd801140056003100000000004b55b62111005461736b42617200400009000400efbe4b55b6214b55b6212e0000001070010000000100000000000000000000000000000056e30f015400610073006b00420061007200000016001201320097010000874f0749200046494c4545587e312e4c4e4b00007c0009000400efbe4b55b6214b55b6212e00000017700100000001000000000000000000520000000000589c4400460069006c00650020004500780070006c006f007200650072002e006c006e006b00000040007300680065006c006c00330032002e0064006c006c002c002d003200320030003600370000001c00120000002b00efbed4060cd927ddd8011c00420000001d00efbe02004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e004500780070006c006f0072006500720000001c00260000001e00efbe0200530079007300740065006d00500069006e006e006500640000001c000000ff" /f
  2⤵
  PID:4112
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband" /v "Favorites" /t REG_BINARY /d "00a40100003a001f80c827341f105c1042aa032ee45287d668260001002600efbe12000000af90a1a727ddd801e62ef4d827ddd801aaa809d927ddd801140056003100000000004b55b62111005461736b42617200400009000400efbe4b55b6214b55b6212e0000001070010000000100000000000000000000000000000056e30f015400610073006b00420061007200000016001201320097010000874f0749200046494c4545587e312e4c4e4b00007c0009000400efbe4b55b6214b55b6212e00000017700100000001000000000000000000520000000000589c4400460069006c00650020004500780070006c006f007200650072002e006c006e006b00000040007300680065006c006c00330032002e0064006c006c002c002d003200320030003600370000001c00120000002b00efbed4060cd927ddd8011c00420000001d00efbe02004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e004500780070006c006f0072006500720000001c00260000001e00efbe0200530079007300740065006d00500069006e006e006500640000001c000000ff" /f
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d "0" /f
  2⤵
  PID:3060
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d "0" /f
    3⤵
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_Layout" /t REG_DWORD /d "1" /f
  2⤵
  PID:4512
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_Layout" /t REG_DWORD /d "1" /f
    3⤵
    PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4500
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v "HideRecentlyAddedApps" /f
  2⤵
  PID:3756
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v "HideRecentlyAddedApps" /f
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v "HideRecentlyAddedApps" /t REG_DWORD /d "1" /f
  2⤵
  PID:2484
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v "HideRecentlyAddedApps" /t REG_DWORD /d "1" /f
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.zip\UserChoice" /v "Hash" /t REG_SZ /d "UfO2BmgRhuY=" /f
  2⤵
  PID:2540
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.zip\UserChoice" /v "Hash" /t REG_SZ /d "UfO2BmgRhuY=" /f
    3⤵
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.zip\UserChoice" /v "ProgId" /t REG_SZ /d "7-Zip.zip" /f
  2⤵
  PID:760
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.zip\UserChoice" /v "ProgId" /t REG_SZ /d "7-Zip.zip" /f
    3⤵
    PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "EulaAccepted" /t REG_DWORD /d "1" /f
  2⤵
  PID:3484
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "EulaAccepted" /t REG_DWORD /d "1" /f
    3⤵
    PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "AlwaysOntop" /t REG_DWORD /d "1" /f
  2⤵
  PID:3924
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "AlwaysOntop" /t REG_DWORD /d "1" /f
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "Windowplacement" /t REG_BINARY /d "2c0000000200000003000000ffffffffffffffffffffffffffffffff75030000110000009506000069020000" /f
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "Windowplacement" /t REG_BINARY /d "2c0000000200000003000000ffffffffffffffffffffffffffffffff75030000110000009506000069020000" /f
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "FindWindowplacement" /t REG_BINARY /d "2c00000000000000000000000000000000000000000000000000000096000000960000000000000000000000" /f
  2⤵
  PID:3284
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "FindWindowplacement" /t REG_BINARY /d "2c00000000000000000000000000000000000000000000000000000096000000960000000000000000000000" /f
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "SysinfoWindowplacement" /t REG_BINARY /d "2c00000000000000010000000000000000000000ffffffffffffffff28000000280000002b0300002b020000" /f
  2⤵
  PID:2552
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "SysinfoWindowplacement" /t REG_BINARY /d "2c00000000000000010000000000000000000000ffffffffffffffff28000000280000002b0300002b020000" /f
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "PropWindowplacement" /t REG_BINARY /d "2c00000000000000000000000000000000000000000000000000000028000000280000000000000000000000" /f
  2⤵
  PID:2532
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "PropWindowplacement" /t REG_BINARY /d "2c00000000000000000000000000000000000000000000000000000028000000280000000000000000000000" /f
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DllPropWindowplacement" /t REG_BINARY /d "2c00000000000000010000000000000000000000ffffffffffffffff2800000028000000e70100009f020000" /f
  2⤵
  PID:3804
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DllPropWindowplacement" /t REG_BINARY /d "2c00000000000000010000000000000000000000ffffffffffffffff2800000028000000e70100009f020000" /f
    3⤵
    PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "UnicodeFont" /t REG_BINARY /d "080000000000000000000000000000009001000000000000000000004d00530020005300680065006c006c00200044006c00670000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
  2⤵
  PID:4832
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "UnicodeFont" /t REG_BINARY /d "080000000000000000000000000000009001000000000000000000004d00530020005300680065006c006c00200044006c00670000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
    3⤵
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "Divider" /t REG_BINARY /d "531f0e151662ea3f" /f
  2⤵
  PID:1392
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "Divider" /t REG_BINARY /d "531f0e151662ea3f" /f
    3⤵
    PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "SavedDivider" /t REG_BINARY /d "531f0e151662ea3f" /f
  2⤵
  PID:4468
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "SavedDivider" /t REG_BINARY /d "531f0e151662ea3f" /f
    3⤵
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ProcessImageColumnWidth" /t REG_DWORD /d "261" /f
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ProcessImageColumnWidth" /t REG_DWORD /d "261" /f
    3⤵
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowUnnamedHandles" /t REG_DWORD /d "1" /f
  2⤵
  PID:3468
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowUnnamedHandles" /t REG_DWORD /d "1" /f
    3⤵
    PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowDllView" /t REG_DWORD /d "1" /f
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowDllView" /t REG_DWORD /d "1" /f
    3⤵
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HandleSortColumn" /t REG_DWORD /d "0" /f
  2⤵
  PID:3144
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HandleSortColumn" /t REG_DWORD /d "0" /f
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HandleSortDirection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HandleSortDirection" /t REG_DWORD /d "1" /f
    3⤵
    PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DllSortColumn" /t REG_DWORD /d "0" /f
  2⤵
  PID:4280
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DllSortColumn" /t REG_DWORD /d "0" /f
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DllSortDirection" /t REG_DWORD /d "1" /f
  2⤵
  PID:5080
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DllSortDirection" /t REG_DWORD /d "1" /f
    3⤵
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ProcessSortColumn" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:1520
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ProcessSortColumn" /t REG_DWORD /d "4294967295" /f
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ProcessSortDirection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2280
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ProcessSortDirection" /t REG_DWORD /d "1" /f
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightServices" /t REG_DWORD /d "1" /f
  2⤵
  PID:600
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightServices" /t REG_DWORD /d "1" /f
    3⤵
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightOwnProcesses" /t REG_DWORD /d "1" /f
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightOwnProcesses" /t REG_DWORD /d "1" /f
    3⤵
    PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightRelocatedDlls" /t REG_DWORD /d "0" /f
  2⤵
  PID:4116
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightRelocatedDlls" /t REG_DWORD /d "0" /f
    3⤵
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightJobs" /t REG_DWORD /d "0" /f
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightJobs" /t REG_DWORD /d "0" /f
    3⤵
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightNewProc" /t REG_DWORD /d "1" /f
  2⤵
  PID:4664
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightNewProc" /t REG_DWORD /d "1" /f
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightDelProc" /t REG_DWORD /d "1" /f
  2⤵
  PID:784
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightDelProc" /t REG_DWORD /d "1" /f
    3⤵
    PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightImmersive" /t REG_DWORD /d "1" /f
  2⤵
  PID:3336
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightImmersive" /t REG_DWORD /d "1" /f
    3⤵
    PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightProtected" /t REG_DWORD /d "0" /f
  2⤵
  PID:1540
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightProtected" /t REG_DWORD /d "0" /f
    3⤵
    PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightPacked" /t REG_DWORD /d "1" /f
  2⤵
  PID:4560
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightPacked" /t REG_DWORD /d "1" /f
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightNetProcess" /t REG_DWORD /d "0" /f
  2⤵
  PID:1704
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightNetProcess" /t REG_DWORD /d "0" /f
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightSuspend" /t REG_DWORD /d "1" /f
  2⤵
  PID:3964
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightSuspend" /t REG_DWORD /d "1" /f
    3⤵
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightDuration" /t REG_DWORD /d "1000" /f
  2⤵
  PID:3772
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HighlightDuration" /t REG_DWORD /d "1000" /f
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowCpuFractions" /t REG_DWORD /d "1" /f
  2⤵
  PID:2012
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowCpuFractions" /t REG_DWORD /d "1" /f
    3⤵
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowLowerpane" /t REG_DWORD /d "1" /f
  2⤵
  PID:2364
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowLowerpane" /t REG_DWORD /d "1" /f
    3⤵
    PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowAllUsers" /t REG_DWORD /d "1" /f
  2⤵
  PID:4784
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowAllUsers" /t REG_DWORD /d "1" /f
    3⤵
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowProcessTree" /t REG_DWORD /d "1" /f
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowProcessTree" /t REG_DWORD /d "1" /f
    3⤵
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "SymbolWarningShown" /t REG_DWORD /d "0" /f
  2⤵
  PID:4136
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "SymbolWarningShown" /t REG_DWORD /d "0" /f
    3⤵
    PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HideWhenMinimized" /t REG_DWORD /d "0" /f
  2⤵
  PID:2292
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HideWhenMinimized" /t REG_DWORD /d "0" /f
    3⤵
    PID:3920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "AlwaysOntop" /t REG_DWORD /d "0" /f
  2⤵
  PID:3400
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "AlwaysOntop" /t REG_DWORD /d "0" /f
    3⤵
    PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "OneInstance" /t REG_DWORD /d "0" /f
  2⤵
  PID:2248
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "OneInstance" /t REG_DWORD /d "0" /f
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "NumColumnSets" /t REG_DWORD /d "0" /f
  2⤵
  PID:5100
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "NumColumnSets" /t REG_DWORD /d "0" /f
    3⤵
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ConfirmKill" /t REG_DWORD /d "1" /f
  2⤵
  PID:2756
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ConfirmKill" /t REG_DWORD /d "1" /f
    3⤵
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "RefreshRate" /t REG_DWORD /d "5000" /f
  2⤵
  PID:4524
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "RefreshRate" /t REG_DWORD /d "5000" /f
    3⤵
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "PrcessColumnCount" /t REG_DWORD /d "18" /f
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "PrcessColumnCount" /t REG_DWORD /d "18" /f
    3⤵
    PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DllColumnCount" /t REG_DWORD /d "5" /f
  2⤵
  PID:2604
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DllColumnCount" /t REG_DWORD /d "5" /f
    3⤵
    PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HandleColumnCount" /t REG_DWORD /d "2" /f
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "HandleColumnCount" /t REG_DWORD /d "2" /f
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DefaultProcPropPage" /t REG_DWORD /d "0" /f
  2⤵
  PID:3756
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DefaultProcPropPage" /t REG_DWORD /d "0" /f
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DefaultSysInfoPage" /t REG_DWORD /d "4" /f
  2⤵
  PID:2484
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DefaultSysInfoPage" /t REG_DWORD /d "4" /f
    3⤵
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DefaultDllPropPage" /t REG_DWORD /d "1" /f
  2⤵
  PID:2540
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DefaultDllPropPage" /t REG_DWORD /d "1" /f
    3⤵
    PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DbgHelpPath" /t REG_SZ /d "C:\Windows\SYSTEM32\dbghelp.dll" /f
  2⤵
  PID:760
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "DbgHelpPath" /t REG_SZ /d "C:\Windows\SYSTEM32\dbghelp.dll" /f
    3⤵
    PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "SymbolPath" /t REG_SZ /d "" /f
  2⤵
  PID:3484
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "SymbolPath" /t REG_SZ /d "" /f
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorPacked" /t REG_DWORD /d "16711808" /f
  2⤵
  PID:3924
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorPacked" /t REG_DWORD /d "16711808" /f
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorImmersive" /t REG_DWORD /d "15395328" /f
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorImmersive" /t REG_DWORD /d "15395328" /f
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorOwn" /t REG_DWORD /d "16765136" /f
  2⤵
  PID:3284
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorOwn" /t REG_DWORD /d "16765136" /f
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorServices" /t REG_DWORD /d "13684991" /f
  2⤵
  PID:2552
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorServices" /t REG_DWORD /d "13684991" /f
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorRelocatedDlls" /t REG_DWORD /d "10551295" /f
  2⤵
  PID:2532
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorRelocatedDlls" /t REG_DWORD /d "10551295" /f
    3⤵
    PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorGraphBk" /t REG_DWORD /d "15790320" /f
  2⤵
  PID:3804
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorGraphBk" /t REG_DWORD /d "15790320" /f
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorJobs" /t REG_DWORD /d "27856" /f
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorJobs" /t REG_DWORD /d "27856" /f
    3⤵
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorDelProc" /t REG_DWORD /d "4605695" /f
  2⤵
  PID:1276
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorDelProc" /t REG_DWORD /d "4605695" /f
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorNewProc" /t REG_DWORD /d "4652870" /f
  2⤵
  PID:4108
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorNewProc" /t REG_DWORD /d "4652870" /f
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorNet" /t REG_DWORD /d "10551295" /f
  2⤵
  PID:648
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorNet" /t REG_DWORD /d "10551295" /f
    3⤵
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorProtected" /t REG_DWORD /d "8388863" /f
  2⤵
  PID:1968
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorProtected" /t REG_DWORD /d "8388863" /f
    3⤵
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowHeatmaps" /t REG_DWORD /d "1" /f
  2⤵
  PID:3452
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowHeatmaps" /t REG_DWORD /d "1" /f
    3⤵
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorSuspend" /t REG_DWORD /d "8421504" /f
  2⤵
  PID:2272
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ColorSuspend" /t REG_DWORD /d "8421504" /f
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "StatusBarColumns" /t REG_DWORD /d "13589" /f
  2⤵
  PID:1428
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "StatusBarColumns" /t REG_DWORD /d "13589" /f
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowAllCpus" /t REG_DWORD /d "0" /f
  2⤵
  PID:1216
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowAllCpus" /t REG_DWORD /d "0" /f
    3⤵
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowAllGpus" /t REG_DWORD /d "0" /f
  2⤵
  PID:1824
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowAllGpus" /t REG_DWORD /d "0" /f
    3⤵
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "Opacity" /t REG_DWORD /d "100" /f
  2⤵
  PID:2260
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "Opacity" /t REG_DWORD /d "100" /f
    3⤵
    PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "GpuNodeUsageMask" /t REG_DWORD /d "1" /f
  2⤵
  PID:2088
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "GpuNodeUsageMask" /t REG_DWORD /d "1" /f
    3⤵
    PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "GpuNodeUsageMask1" /t REG_DWORD /d "0" /f
  2⤵
  PID:548
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "GpuNodeUsageMask1" /t REG_DWORD /d "0" /f
    3⤵
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "VerifySignatures" /t REG_DWORD /d "0" /f
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "VerifySignatures" /t REG_DWORD /d "0" /f
    3⤵
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "VirusTotalCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:4116
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "VirusTotalCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "VirusTotalSubmitUnknown" /t REG_DWORD /d "0" /f
  2⤵
  PID:3716
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "VirusTotalSubmitUnknown" /t REG_DWORD /d "0" /f
    3⤵
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ToolbarBands" /t REG_BINARY /d "0601000000000000000000004b00000001000000000000004b00000002000000000000004b00000003000000000000004b0000000400000000000000400000000500000000000000500000000600000000000000930400000700000000000000" /f
  2⤵
  PID:712
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ToolbarBands" /t REG_BINARY /d "0601000000000000000000004b00000001000000000000004b00000002000000000000004b00000003000000000000004b0000000400000000000000400000000500000000000000500000000600000000000000930400000700000000000000" /f
    3⤵
    PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "UseGoogle" /t REG_DWORD /d "0" /f
  2⤵
  PID:4640
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "UseGoogle" /t REG_DWORD /d "0" /f
    3⤵
    PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowNewProcesses" /t REG_DWORD /d "0" /f
  2⤵
  PID:1252
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowNewProcesses" /t REG_DWORD /d "0" /f
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "TrayCPUHistory" /t REG_DWORD /d "1" /f
  2⤵
  PID:3164
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "TrayCPUHistory" /t REG_DWORD /d "1" /f
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowIoTray" /t REG_DWORD /d "0" /f
  2⤵
  PID:2644
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowIoTray" /t REG_DWORD /d "0" /f
    3⤵
    PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowNetTray" /t REG_DWORD /d "0" /f
  2⤵
  PID:1704
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowNetTray" /t REG_DWORD /d "0" /f
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowDiskTray" /t REG_DWORD /d "0" /f
  2⤵
  PID:4940
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowDiskTray" /t REG_DWORD /d "0" /f
    3⤵
    PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowPhysTray" /t REG_DWORD /d "0" /f
  2⤵
  PID:3236
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowPhysTray" /t REG_DWORD /d "0" /f
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowCommitTray" /t REG_DWORD /d "0" /f
  2⤵
  PID:2012
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowCommitTray" /t REG_DWORD /d "0" /f
    3⤵
    PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowGpuTray" /t REG_DWORD /d "0" /f
  2⤵
  PID:2364
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ShowGpuTray" /t REG_DWORD /d "0" /f
    3⤵
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "FormatIoBytes" /t REG_DWORD /d "1" /f
  2⤵
  PID:4784
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "FormatIoBytes" /t REG_DWORD /d "1" /f
    3⤵
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "StackWindowPlacement" /t REG_BINARY /d "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "StackWindowPlacement" /t REG_BINARY /d "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
    3⤵
    PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ETWstandardUserWarning" /t REG_DWORD /d "0" /f
  2⤵
  PID:4864
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer" /v "ETWstandardUserWarning" /t REG_DWORD /d "0" /f
    3⤵
    PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "0" /t REG_DWORD /d "26" /f
  2⤵
  PID:1772
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "0" /t REG_DWORD /d "26" /f
    3⤵
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "1" /t REG_DWORD /d "42" /f
  2⤵
  PID:2788
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "1" /t REG_DWORD /d "42" /f
    3⤵
    PID:3624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "2" /t REG_DWORD /d "1033" /f
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "2" /t REG_DWORD /d "1033" /f
    3⤵
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "3" /t REG_DWORD /d "1111" /f
  2⤵
  PID:1616
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "3" /t REG_DWORD /d "1111" /f
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "4" /t REG_DWORD /d "1670" /f
  2⤵
  PID:400
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumnMap" /v "4" /t REG_DWORD /d "1670" /f
    3⤵
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "0" /t REG_DWORD /d "110" /f
  2⤵
  PID:920
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "0" /t REG_DWORD /d "110" /f
    3⤵
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "1" /t REG_DWORD /d "180" /f
  2⤵
  PID:2976
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "1" /t REG_DWORD /d "180" /f
    3⤵
    PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "2" /t REG_DWORD /d "140" /f
  2⤵
  PID:4512
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "2" /t REG_DWORD /d "140" /f
    3⤵
    PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "3" /t REG_DWORD /d "300" /f
  2⤵
  PID:4500
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "3" /t REG_DWORD /d "300" /f
    3⤵
    PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "4" /t REG_DWORD /d "100" /f
  2⤵
  PID:4236
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\DllColumns" /v "4" /t REG_DWORD /d "100" /f
    3⤵
    PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\HandleColumnMap" /v "0" /t REG_DWORD /d "21" /f
  2⤵
  PID:2676
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\HandleColumnMap" /v "0" /t REG_DWORD /d "21" /f
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\HandleColumnMap" /v "1" /t REG_DWORD /d "22" /f
  2⤵
  PID:1384
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\HandleColumnMap" /v "1" /t REG_DWORD /d "22" /f
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\HandleColumns" /v "0" /t REG_DWORD /d "100" /f
  2⤵
  PID:5048
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\HandleColumns" /v "0" /t REG_DWORD /d "100" /f
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\HandleColumns" /v "1" /t REG_DWORD /d "450" /f
  2⤵
  PID:4708
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\HandleColumns" /v "1" /t REG_DWORD /d "450" /f
    3⤵
    PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "0" /t REG_DWORD /d "3" /f
  2⤵
  PID:1456
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "0" /t REG_DWORD /d "3" /f
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "1" /t REG_DWORD /d "1055" /f
  2⤵
  PID:4752
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "1" /t REG_DWORD /d "1055" /f
    3⤵
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "2" /t REG_DWORD /d "1650" /f
  2⤵
  PID:3508
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "2" /t REG_DWORD /d "1650" /f
    3⤵
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "3" /t REG_DWORD /d "1200" /f
  2⤵
  PID:2572
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "3" /t REG_DWORD /d "1200" /f
    3⤵
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "4" /t REG_DWORD /d "1092" /f
  2⤵
  PID:1180
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "4" /t REG_DWORD /d "1092" /f
    3⤵
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "5" /t REG_DWORD /d "1333" /f
  2⤵
  PID:3804
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "5" /t REG_DWORD /d "1333" /f
    3⤵
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "6" /t REG_DWORD /d "1622" /f
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "6" /t REG_DWORD /d "1622" /f
    3⤵
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "7" /t REG_DWORD /d "1636" /f
  2⤵
  PID:1392
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "7" /t REG_DWORD /d "1636" /f
    3⤵
    PID:4240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "8" /t REG_DWORD /d "1179" /f
  2⤵
  PID:4468
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "8" /t REG_DWORD /d "1179" /f
    3⤵
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "9" /t REG_DWORD /d "1340" /f
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "9" /t REG_DWORD /d "1340" /f
    3⤵
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "10" /t REG_DWORD /d "5" /f
  2⤵
  PID:3468
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "10" /t REG_DWORD /d "5" /f
    3⤵
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "11" /t REG_DWORD /d "1339" /f
  2⤵
  PID:1884
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "11" /t REG_DWORD /d "1339" /f
    3⤵
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "12" /t REG_DWORD /d "1060" /f
  2⤵
  PID:3144
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "12" /t REG_DWORD /d "1060" /f
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "13" /t REG_DWORD /d "1063" /f
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "13" /t REG_DWORD /d "1063" /f
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "14" /t REG_DWORD /d "4" /f
  2⤵
  PID:4280
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "14" /t REG_DWORD /d "4" /f
    3⤵
    PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "15" /t REG_DWORD /d "1065" /f
  2⤵
  PID:676
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "15" /t REG_DWORD /d "1065" /f
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "16" /t REG_DWORD /d "18" /f
  2⤵
  PID:4272
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "16" /t REG_DWORD /d "18" /f
    3⤵
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "17" /t REG_DWORD /d "1670" /f
  2⤵
  PID:3492
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "17" /t REG_DWORD /d "1670" /f
    3⤵
    PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "18" /t REG_DWORD /d "1653" /f
  2⤵
  PID:2624
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "18" /t REG_DWORD /d "1653" /f
    3⤵
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "19" /t REG_DWORD /d "1653" /f
  2⤵
  PID:4984
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumnMap" /v "19" /t REG_DWORD /d "1653" /f
    3⤵
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "0" /t REG_DWORD /d "261" /f
  2⤵
  PID:216
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "0" /t REG_DWORD /d "261" /f
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "1" /t REG_DWORD /d "35" /f
  2⤵
  PID:4536
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "1" /t REG_DWORD /d "35" /f
    3⤵
    PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "2" /t REG_DWORD /d "37" /f
  2⤵
  PID:4348
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "2" /t REG_DWORD /d "37" /f
    3⤵
    PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "3" /t REG_DWORD /d "82" /f
  2⤵
  PID:2328
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "3" /t REG_DWORD /d "82" /f
    3⤵
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "4" /t REG_DWORD /d "81" /f
  2⤵
  PID:1032
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "4" /t REG_DWORD /d "81" /f
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "5" /t REG_DWORD /d "65" /f
  2⤵
  PID:4092
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "5" /t REG_DWORD /d "65" /f
    3⤵
    PID:984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "6" /t REG_DWORD /d "93" /f
  2⤵
  PID:560
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "6" /t REG_DWORD /d "93" /f
    3⤵
    PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "7" /t REG_DWORD /d "76" /f
  2⤵
  PID:2884
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "7" /t REG_DWORD /d "76" /f
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "8" /t REG_DWORD /d "55" /f
  2⤵
  PID:3308
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "8" /t REG_DWORD /d "55" /f
    3⤵
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "9" /t REG_DWORD /d "60" /f
  2⤵
  PID:1460
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "9" /t REG_DWORD /d "60" /f
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "10" /t REG_DWORD /d "39" /f
  2⤵
  PID:3440
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "10" /t REG_DWORD /d "39" /f
    3⤵
    PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "11" /t REG_DWORD /d "80" /f
  2⤵
  PID:2332
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "11" /t REG_DWORD /d "80" /f
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "12" /t REG_DWORD /d "70" /f
  2⤵
  PID:2900
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "12" /t REG_DWORD /d "70" /f
    3⤵
    PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "13" /t REG_DWORD /d "70" /f
  2⤵
  PID:1644
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "13" /t REG_DWORD /d "70" /f
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "14" /t REG_DWORD /d "31" /f
  2⤵
  PID:4052
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "14" /t REG_DWORD /d "31" /f
    3⤵
    PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "15" /t REG_DWORD /d "52" /f
  2⤵
  PID:4140
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "15" /t REG_DWORD /d "52" /f
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "16" /t REG_DWORD /d "52" /f
  2⤵
  PID:2224
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "16" /t REG_DWORD /d "52" /f
    3⤵
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "17" /t REG_DWORD /d "44" /f
  2⤵
  PID:3600
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\ProcessColumns" /v "17" /t REG_DWORD /d "44" /f
    3⤵
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-88000326Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2204
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-88000326Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4428
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2732
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2372
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:828
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:4308
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
    3⤵
    PID:4500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t REG_DWORD /d "0" /f
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t REG_DWORD /d "0" /f
    3⤵
    PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1936
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2704
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:316
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f
  2⤵
  PID:2692
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2256
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "DisableWindowsSpotlightFeatures" /t REG_DWORD /d "1" /f
  2⤵
  PID:4504
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "DisableWindowsSpotlightFeatures" /t REG_DWORD /d "1" /f
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "DisableTailoredExperiencesWithDiagnosticData" /t REG_DWORD /d "1" /f
  2⤵
  PID:3160
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "DisableTailoredExperiencesWithDiagnosticData" /t REG_DWORD /d "1" /f
    3⤵
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "SafeSearchMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:2868
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "SafeSearchMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3292
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:2284
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
  2⤵
  PID:4644
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
    3⤵
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds" /v "ShellFeedsTaskbarOpenOnHover" /t REG_DWORD /d "0" /f
  2⤵
  PID:1796
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds" /v "ShellFeedsTaskbarOpenOnHover" /t REG_DWORD /d "0" /f
    3⤵
    PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "RomeSdkChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:1404
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "RomeSdkChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost\EnableWebContentEvaluation" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5000
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost\EnableWebContentEvaluation" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2716
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1020
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
    3⤵
    PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4488
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
    3⤵
    PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f
  2⤵
  PID:2696
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f
    3⤵
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f
  2⤵
  PID:2060
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f
    3⤵
    PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "122" /f
  2⤵
  PID:1668
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "122" /f
    3⤵
    PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "58" /f
  2⤵
  PID:3172
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "58" /f
    3⤵
    PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\VirusTotal" /v "VirusTotalTermsAccepted" /t REG_DWORD /d "1" /f
  2⤵
  PID:2328
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer\VirusTotal" /v "VirusTotalTermsAccepted" /t REG_DWORD /d "1" /f
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\EditionOverrides" /v "UserSetting_DisableStartupSound" /t REG_DWORD /d "1" /f
  2⤵
  PID:1032
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\EditionOverrides" /v "UserSetting_DisableStartupSound" /t REG_DWORD /d "1" /f
    3⤵
    PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Lighting" /v "AmbientLightingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2304
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Lighting" /v "AmbientLightingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Lighting" /v "ControlledByForegroundApp" /t REG_DWORD /d "0" /f
  2⤵
  PID:560
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Lighting" /v "ControlledByForegroundApp" /t REG_DWORD /d "0" /f
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f
  2⤵
  PID:2884
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f
    3⤵
    PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "ScriptingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2164
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "ScriptingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "EchoNavigationKeys" /t REG_DWORD /d "0" /f
  2⤵
  PID:2992
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "EchoNavigationKeys" /t REG_DWORD /d "0" /f
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "OnlineServicesEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5020
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam" /v "OnlineServicesEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE "HKEY_CLASSES_ROOT\*\shell\pintohomefile" /f
  2⤵
  PID:2084
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CLASSES_ROOT\*\shell\pintohomefile" /f
    3⤵
    PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:4680
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 4294967295 /f
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Allow" /f
  2⤵
  PID:1528
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Allow" /f
    3⤵
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg /h off
  2⤵
  - Power Settings
  PID:1532
- - C:\Windows\system32\powercfg.exe
    powercfg /h off
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {current} description "PatsimaOS11 23H2"
  2⤵
  PID:4140
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} description "PatsimaOS11 23H2"
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /wait %SYSTEMDRIVE%\Modules\DirectX\DXSETUP.exe /silent
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /S /Q "%SYSTEMDRIVE%\Modules\DirectX" >NUL 2>&1
  2⤵
  PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /timeout 10
  2⤵
  PID:2420
- - C:\Windows\system32\bcdedit.exe
    bcdedit /timeout 10
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set useplatformtick No
  2⤵
  PID:4924
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set useplatformtick No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set disabledynamictick Yes
  2⤵
  PID:2024
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set disabledynamictick Yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set bootmenupolicy Legacy
  2⤵
  PID:1544
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set bootmenupolicy Legacy
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off
  2⤵
  PID:3420
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set quietboot On
  2⤵
  PID:3356
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set quietboot On
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set nx OptIn
  2⤵
  PID:4440
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set nx OptIn
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg /h off
  2⤵
  - Power Settings
  PID:3892
- - C:\Windows\system32\powercfg.exe
    powercfg /h off
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "System Speaker"
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "System Timer"
  2⤵
  PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "High precision event timer"
  2⤵
  PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "WAN Miniport (IKEv2)"
  2⤵
  PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "WAN Miniport (IP)"
  2⤵
  PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "WAN Miniport (IPv6)"
  2⤵
  PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "WAN Miniport (L2TP)"
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "WAN Miniport (Network Monitor)"
  2⤵
  PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "WAN Miniport (PPPOE)"
  2⤵
  PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "WAN Miniport (PPTP)"
  2⤵
  PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "WAN Miniport (SSTP)"
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "Direct memory access controller"
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "System CMOS/real time clock"
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "Unknown device"
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "Microsoft Virtual Drive Enumerator"
  2⤵
  PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "UMBus Root Bus Enumerator"
  2⤵
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "Programmable Interrupt Controller"
  2⤵
  PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "Composite Bus Enumerator"
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "Numeric Data Processor"
  2⤵
  PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "Legacy Device"
  2⤵
  PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "PCI Memory Controller"
  2⤵
  PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "PCI Simple Communications Controller"
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "SM Bus Controller"
  2⤵
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "PCI Data Acquisition and Signal Processing Controller"
  2⤵
  PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c devmanview /disable "Base System Device"
  2⤵
  PID:984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
  2⤵
  PID:2720
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
    3⤵
    PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
  2⤵
  PID:5064
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security" /V "DisableSecuritySettingsCheck" /T "REG_DWORD" /D "00000001" /F
  2⤵
  PID:4908
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security" /V "DisableSecuritySettingsCheck" /T "REG_DWORD" /D "00000001" /F
    3⤵
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmcompute" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMain" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache3.0.0.0" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GraphicsPerfSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RFCOMM" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthEnum" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthLEEnum" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthA2dp" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFEnum" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthMini" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHMODEM" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHUSB" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidBth" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft_Bluetooth_AvrcpTransport" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensrSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensorService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdiServiceHost" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdio" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Beep" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete nvagent >NUL 2>&1
  2⤵
  PID:4924
- - C:\Windows\system32\sc.exe
    sc delete nvagent
    3⤵
    - Launches sc.exe
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete edgeupdate >NUL 2>&1
  2⤵
  PID:3428
- - C:\Windows\system32\sc.exe
    sc delete edgeupdate
    3⤵
    - Launches sc.exe
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete edgeupdatem >NUL 2>&1
  2⤵
  PID:4060
- - C:\Windows\system32\sc.exe
    sc delete edgeupdatem
    3⤵
    - Launches sc.exe
    PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\MicrosoftEdgeUpdateTaskMachineCore" >NUL 2>&1
  2⤵
  PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\MicrosoftEdgeUpdateTaskMachineUA" >NUL 2>&1
  2⤵
  PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" >NUL 2>&1
  2⤵
  PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Windows Error Reporting\QueueReporting" >NUL 2>&1
  2⤵
  PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\DiskFootprint\Diagnostics" >NUL 2>&1
  2⤵
  PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" >NUL 2>&1
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Application Experience\StartupAppTask" >NUL 2>&1
  2⤵
  PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Autochk\Proxy" >NUL 2>&1
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Application Experience\PcaPatchDbTask" >NUL 2>&1
  2⤵
  PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask" >NUL 2>&1
  2⤵
  PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" >NUL 2>&1
  2⤵
  PID:244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" >NUL 2>&1
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" >NUL 2>&1
  2⤵
  PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\DiskFootprint\StorageSense" >NUL 2>&1
  2⤵
  PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\MicrosoftEdgeUpdateBrowserReplacementTask" >NUL 2>&1
  2⤵
  PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Registry\RegIdleBackup" >NUL 2>&1
  2⤵
  PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" >NUL 2>&1
  2⤵
  PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetwork" >NUL 2>&1
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon" >NUL 2>&1
  2⤵
  PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\StateRepository\MaintenanceTasks" >NUL 2>&1
  2⤵
  PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" >NUL 2>&1
  2⤵
  PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" >NUL 2>&1
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" >NUL 2>&1
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" >NUL 2>&1
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" >NUL 2>&1
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" >NUL 2>&1
  2⤵
  PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\UPnP\UPnPHostConfig" >NUL 2>&1
  2⤵
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\RetailDemo\CleanupOfflineContent" >NUL 2>&1
  2⤵
  PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Shell\FamilySafetyMonitor" >NUL 2>&1
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\InstallService\ScanForUpdates" >NUL 2>&1
  2⤵
  PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\InstallService\ScanForUpdatesAsUser" >NUL 2>&1
  2⤵
  PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\InstallService\SmartRetry" >NUL 2>&1
  2⤵
  PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\International\Synchronize Language Settings" >NUL 2>&1
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents" >NUL 2>&1
  2⤵
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic" >NUL 2>&1
  2⤵
  PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Multimedia\Microsoft\Windows\Multimedia" >NUL 2>&1
  2⤵
  PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Printing\EduPrintProv" >NUL 2>&1
  2⤵
  PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" >NUL 2>&1
  2⤵
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Ras\MobilityManager" >NUL 2>&1
  2⤵
  PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\PushToInstall\LoginCheck" >NUL 2>&1
  2⤵
  PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" >NUL 2>&1
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" >NUL 2>&1
  2⤵
  PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Time Zone\SynchronizeTimeZone" >NUL 2>&1
  2⤵
  PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\WaaSMedic\PerformRemediation" >NUL 2>&1
  2⤵
  PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\DiskCleanup\SilentCleanup" >NUL 2>&1
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Diagnosis\Scheduled" >NUL 2>&1
  2⤵
  PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Wininet\CacheTask" >NUL 2>&1
  2⤵
  PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Device Setup\Metadata Refresh" >NUL 2>&1
  2⤵
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" >NUL 2>&1
  2⤵
  PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" >NUL 2>&1
  2⤵
  PID:4532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" >NUL 2>&1
  2⤵
  PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" >NUL 2>&1
  2⤵
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" >NUL 2>&1
  2⤵
  PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" >NUL 2>&1
  2⤵
  PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" >NUL 2>&1
  2⤵
  PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" >NUL 2>&1
  2⤵
  PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" >NUL 2>&1
  2⤵
  PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Shell\FamilySafetyUpload" >NUL 2>&1
  2⤵
  PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Application Experience\AitAgent" >NUL 2>&1
  2⤵
  PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" >NUL 2>&1
  2⤵
  PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Application Experience\StartupAppTask" >NUL 2>&1
  2⤵
  PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Autochk\Proxy" >NUL 2>&1
  2⤵
  PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" >NUL 2>&1
  2⤵
  PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\AppID\SmartScreenSpecific" >NUL 2>&1
  2⤵
  PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" >NUL 2>&1
  2⤵
  PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" >NUL 2>&1
  2⤵
  PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" >NUL 2>&1
  2⤵
  PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\PI\Sqm-Tasks" >NUL 2>&1
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" >NUL 2>&1
  2⤵
  PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\DiskFootprint\Diagnostics" >NUL 2>&1
  2⤵
  PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" >NUL 2>&1
  2⤵
  PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 schtasks.exe /Change /Disable /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" >NUL 2>&1
  2⤵
  PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 taskkill.exe /im "HelpPane.exe" /t /f >NUL 2>&1
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerRun.exe /SW:0 cmd.exe /c del /F /Q "%SYSTEMDRIVE%\Windows\HelpPane.exe"
  2⤵
  PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /Q "%SYSTEMDRIVE%\Modules\7zip.exe"
  2⤵
  PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /Q "%SYSTEMDRIVE%\Modules\PatsimaOS V2.1 IDLE ON.pow"
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /s /q %WINDIR%\Temp\ >NUL 2>&1
  2⤵
  PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /s /q %SYSTEMDRIVE%\Modules\ >NUL 2>&1
  2⤵
  PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /s /q "%SYSTEMDRIVE%\Program Files (x86)\Microsoft" >NUL 2>&1
  2⤵
  PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /Q "%SYSTEMDRIVE%\Windows\devmanview.exe" >NUL 2>&1
  2⤵
  PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /Q "%SYSTEMDRIVE%\Modules\7zip.bat" >NUL 2>&1
  2⤵
  PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /Q "%SYSTEMDRIVE%\Modules\twk.bat" >NUL 2>&1
  2⤵
  PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /Q "%SYSTEMDRIVE%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Setup.bat" >NUL 2>&1
  2⤵
  PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /Q "%SYSTEMDRIVE%\Modules\postinstall.exe" >NUL 2>&1
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown -r -f -t 7 -c "Rebooting Patsima OS 11"
  2⤵
  PID:2552
- - C:\Windows\system32\shutdown.exe
    shutdown -r -f -t 7 -c "Rebooting Patsima OS 11"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa387a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40n04cvr.k5z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1624-0-0x00007FFBD1F33000-0x00007FFBD1F35000-memory.dmp

Filesize
8KB

Download
memory/1624-10-0x000001D2C80B0000-0x000001D2C80D2000-memory.dmp

Filesize
136KB

Download
memory/1624-11-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1624-12-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1624-15-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download