Analysis
-
max time kernel
168s -
max time network
159s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
08-11-2024 20:16
Static task
static1
Behavioral task
behavioral1
Sample
Maho_Premium_Utility.bat
Resource
win10ltsc2021-20241023-en
General
-
Target
Maho_Premium_Utility.bat
-
Size
326KB
-
MD5
ca9a8333213a5c6ad964e980fcbc6f33
-
SHA1
7f6a49dc91055c0737dfab2e82d6f96313cb4c9f
-
SHA256
22b2d5e1a89238c4ccf949b13a4bdbfa5626fc625ddace67280d01309033dc50
-
SHA512
c2c53bea7d920fb928dd60f1f25923bc6dacb679f78be177c2d467f45f7472816d12a55ca69a473d0a900f493d93338426f2e96f94f71106ce0691409695cc28
-
SSDEEP
1536:6Q0Ym+bChbCFACzAC3rbwP+yVdaipHD/EEUmjNG0H0QcFlV4S0v:ptbmbkAqAy9iV7EElcFlV4S0v
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
Processes:
reg.exeSystemPropertiesPerformance.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" SystemPropertiesPerformance.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
SystemPropertiesPerformance.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SystemPropertiesPerformance.exe -
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe -
Disables taskbar notifications via registry modification
-
Possible privilege escalation attempt 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 1612 takeown.exe 1752 icacls.exe 1968 takeown.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
w32tm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe -
Executes dropped EXE 1 IoCs
Processes:
dismhost.exepid process 1028 dismhost.exe -
Loads dropped DLL 5 IoCs
Processes:
dismhost.exepid process 1028 dismhost.exe 1028 dismhost.exe 1028 dismhost.exe 1028 dismhost.exe 1028 dismhost.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exetakeown.exetakeown.exepid process 1752 icacls.exe 1968 takeown.exe 1612 takeown.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\lnkfile\NeverShowExt reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\NeverShowExt reg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "C:\\Windows\\System32\\ctfmon.exe" reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cleanmgr.exedescription ioc process File opened (read-only) \??\F: cleanmgr.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" reg.exe -
Power Settings 1 TTPs 2 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 4 IoCs
Processes:
cleanmgr.exedescription ioc process File opened for modification C:\Windows\system32\LogFiles\setupcln\setuperr.log cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagerr.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagwrn.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\setupact.log cleanmgr.exe -
Boot or Logon Autostart Execution: Time Providers 1 TTPs 31 IoCs
The Windows Time service (W32Time) enables time synchronization across and within domains.
Processes:
w32tm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000 w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0" w32tm.exe -
Drops file in Windows directory 3 IoCs
Processes:
cleanmgr.exedismhost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log cleanmgr.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4580 sc.exe 1552 sc.exe 4344 sc.exe 524 sc.exe 2460 sc.exe 2024 sc.exe 240 sc.exe 3372 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2192 powershell.exe 2244 powershell.exe 2564 powershell.exe 4592 powershell.exe 724 powershell.exe 3604 powershell.exe 3984 powershell.exe 4360 powershell.exe 1980 powershell.exe 4468 powershell.exe 1724 powershell.exe 724 powershell.exe 4472 powershell.exe 4080 powershell.exe 1340 powershell.exe 2528 powershell.exe 4416 powershell.exe 1848 powershell.exe 520 powershell.exe 4680 powershell.exe 1392 powershell.exe 924 powershell.exe 4440 powershell.exe 4292 powershell.exe 2560 powershell.exe 2700 powershell.exe 3776 powershell.exe 3300 powershell.exe 3876 powershell.exe 2508 powershell.exe 4640 powershell.exe 2532 powershell.exe 4640 powershell.exe 2488 powershell.exe 924 powershell.exe -
System Time Discovery 1 TTPs 4 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
Processes:
net.exenet1.exenet.exenet1.exepid process 5004 net.exe 4248 net1.exe 4288 net.exe 3656 net1.exe -
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cleanmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe -
Delays execution with timeout.exe 59 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1156 timeout.exe 1848 timeout.exe 4144 timeout.exe 4128 timeout.exe 2496 timeout.exe 1016 timeout.exe 3724 timeout.exe 1080 timeout.exe 2488 timeout.exe 4800 timeout.exe 1492 timeout.exe 4496 timeout.exe 668 timeout.exe 2208 timeout.exe 2764 timeout.exe 4216 timeout.exe 2660 timeout.exe 4800 timeout.exe 1708 timeout.exe 3356 timeout.exe 4572 timeout.exe 3832 timeout.exe 876 timeout.exe 3336 timeout.exe 2816 timeout.exe 3664 timeout.exe 3832 timeout.exe 4840 timeout.exe 1120 timeout.exe 4772 timeout.exe 2496 timeout.exe 1628 timeout.exe 1112 timeout.exe 524 timeout.exe 3656 timeout.exe 4280 timeout.exe 4388 timeout.exe 1080 timeout.exe 3832 timeout.exe 1612 timeout.exe 4300 timeout.exe 240 timeout.exe 2272 timeout.exe 2644 timeout.exe 1852 timeout.exe 3460 timeout.exe 4448 timeout.exe 2476 timeout.exe 1940 timeout.exe 2476 timeout.exe 4496 timeout.exe 1328 timeout.exe 4820 timeout.exe 2496 timeout.exe 4576 timeout.exe 4516 timeout.exe 3828 timeout.exe 1644 timeout.exe 4760 timeout.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2272 taskkill.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483650" reg.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings\DownloadMode = "0" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\KeyboardDelay = "0" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\KeyboardSpeed = "31" reg.exe -
Modifies registry class 27 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\lnkfile reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\IE.AssocFile.URL reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.WEBSITE reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.WEBSITE\NeverShowExt reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\NeverShowExt reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SHCmdFile\NeverShowExt reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\lnkfile\NeverShowExt reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\NeverShowExt reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Theme = "1" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\NeverShowExt reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SHCmdFile reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\IE.AssocFile.URL\NeverShowExt reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\NeverShowExt reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile reg.exe Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 724 powershell.exe 724 powershell.exe 3776 powershell.exe 3776 powershell.exe 2192 powershell.exe 2192 powershell.exe 4640 powershell.exe 4640 powershell.exe 3604 powershell.exe 3604 powershell.exe 2244 powershell.exe 2244 powershell.exe 3300 powershell.exe 3300 powershell.exe 4416 powershell.exe 4416 powershell.exe 1392 powershell.exe 1392 powershell.exe 3984 powershell.exe 3984 powershell.exe 4360 powershell.exe 4360 powershell.exe 4472 powershell.exe 4472 powershell.exe 2532 powershell.exe 2532 powershell.exe 2564 powershell.exe 2564 powershell.exe 1980 powershell.exe 1980 powershell.exe 1848 powershell.exe 1848 powershell.exe 3876 powershell.exe 3876 powershell.exe 520 powershell.exe 520 powershell.exe 4080 powershell.exe 4080 powershell.exe 4468 powershell.exe 4468 powershell.exe 1724 powershell.exe 1724 powershell.exe 2508 powershell.exe 2508 powershell.exe 924 powershell.exe 924 powershell.exe 4592 powershell.exe 4592 powershell.exe 4640 powershell.exe 4640 powershell.exe 2488 powershell.exe 2488 powershell.exe 4440 powershell.exe 4440 powershell.exe 1340 powershell.exe 1340 powershell.exe 4292 powershell.exe 4292 powershell.exe 2528 powershell.exe 2528 powershell.exe 2560 powershell.exe 2560 powershell.exe 724 powershell.exe 724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
auditpol.exeauditpol.exeauditpol.exeauditpol.exeauditpol.exeauditpol.exeauditpol.exeauditpol.exeauditpol.exesvchost.exetaskkill.exeTiWorker.exedismhost.execleanmgr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeSecurityPrivilege 1412 auditpol.exe Token: SeSecurityPrivilege 4772 auditpol.exe Token: SeSecurityPrivilege 2040 auditpol.exe Token: SeSecurityPrivilege 1156 auditpol.exe Token: SeSecurityPrivilege 940 auditpol.exe Token: SeSecurityPrivilege 2180 auditpol.exe Token: SeSecurityPrivilege 2764 auditpol.exe Token: SeSecurityPrivilege 4020 auditpol.exe Token: SeSecurityPrivilege 1952 auditpol.exe Token: SeSystemtimePrivilege 2492 svchost.exe Token: SeSystemtimePrivilege 2492 svchost.exe Token: SeIncBasePriorityPrivilege 2492 svchost.exe Token: SeDebugPrivilege 2272 taskkill.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 1028 dismhost.exe Token: SeRestorePrivilege 1028 dismhost.exe Token: SeTakeOwnershipPrivilege 1028 dismhost.exe Token: SeSecurityPrivilege 1028 dismhost.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeBackupPrivilege 3696 cleanmgr.exe Token: SeRestorePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeManageVolumePrivilege 3696 cleanmgr.exe Token: SeDebugPrivilege 724 powershell.exe Token: SeDebugPrivilege 3776 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 4640 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeDebugPrivilege 1392 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exedescription pid process target process PID 2512 wrote to memory of 2152 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2152 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3080 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3080 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4684 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4684 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4056 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4056 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2604 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2604 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1224 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1224 2512 cmd.exe reg.exe PID 2512 wrote to memory of 216 2512 cmd.exe reg.exe PID 2512 wrote to memory of 216 2512 cmd.exe reg.exe PID 2512 wrote to memory of 328 2512 cmd.exe reg.exe PID 2512 wrote to memory of 328 2512 cmd.exe reg.exe PID 2512 wrote to memory of 5004 2512 cmd.exe reg.exe PID 2512 wrote to memory of 5004 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4680 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4680 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1736 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1736 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4256 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4256 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4416 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4416 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2276 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2276 2512 cmd.exe reg.exe PID 2512 wrote to memory of 536 2512 cmd.exe reg.exe PID 2512 wrote to memory of 536 2512 cmd.exe reg.exe PID 2512 wrote to memory of 992 2512 cmd.exe reg.exe PID 2512 wrote to memory of 992 2512 cmd.exe reg.exe PID 2512 wrote to memory of 748 2512 cmd.exe reg.exe PID 2512 wrote to memory of 748 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4492 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4492 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3384 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3384 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3836 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3836 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4276 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4276 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1596 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1596 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3472 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3472 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1328 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1328 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2728 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2728 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3044 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3044 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2716 2512 cmd.exe reg.exe PID 2512 wrote to memory of 2716 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4748 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4748 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3244 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3244 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4572 2512 cmd.exe reg.exe PID 2512 wrote to memory of 4572 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1644 2512 cmd.exe reg.exe PID 2512 wrote to memory of 1644 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3792 2512 cmd.exe reg.exe PID 2512 wrote to memory of 3792 2512 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 5040 attrib.exe 4700 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Maho_Premium_Utility.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f2⤵PID:2152
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:3080
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:4684
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:4056
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:2604
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:1224
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵PID:216
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f2⤵PID:328
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f2⤵PID:5004
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f2⤵PID:4680
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f2⤵PID:1736
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f2⤵PID:4256
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:4416
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:2276
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:536
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:748
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:4492
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f2⤵PID:3384
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f2⤵PID:3836
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f2⤵PID:4276
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f2⤵PID:1596
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f2⤵PID:3472
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f2⤵PID:1328
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f2⤵PID:2728
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f2⤵PID:3044
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f2⤵PID:2716
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f2⤵PID:4748
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f2⤵PID:3244
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f2⤵PID:4572
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f2⤵PID:1644
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f2⤵PID:3792
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f2⤵PID:2464
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f2⤵PID:4244
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f2⤵PID:2096
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f2⤵
- Power Settings
PID:2576 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f2⤵
- Power Settings
PID:1820 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f2⤵PID:3788
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f2⤵PID:2032
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f2⤵PID:4960
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f2⤵PID:1920
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:840
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:4444
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:5036
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:1664
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:4904
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:2664
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f2⤵PID:1916
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f2⤵PID:2244
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f2⤵PID:3876
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f2⤵PID:404
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f2⤵PID:3440
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f2⤵PID:1640
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f2⤵PID:4600
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f2⤵PID:1556
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f2⤵PID:1484
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f2⤵PID:4432
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f2⤵PID:3348
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f2⤵PID:4312
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubDelay" /t REG_DWORD /d "0" /f2⤵PID:3828
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubInterval" /t REG_DWORD /d "0" /f2⤵PID:1588
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "18" /f2⤵PID:1412
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubThreshold" /t REG_DWORD /d "0" /f2⤵PID:472
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubType" /t REG_DWORD /d "2" /f2⤵PID:4772
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValue" /t REG_DWORD /d "100" /f2⤵PID:2040
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMaximum" /t REG_DWORD /d "100" /f2⤵PID:1156
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMinimum" /t REG_DWORD /d "100" /f2⤵PID:940
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueStep" /t REG_DWORD /d "0" /f2⤵PID:2180
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefault" /t REG_DWORD /d "0" /f2⤵PID:2764
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCurrent" /t REG_DWORD /d "0" /f2⤵PID:4020
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuePrevious" /t REG_DWORD /d "0" /f2⤵PID:2392
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNext" /t REG_DWORD /d "0" /f2⤵PID:3948
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueLast" /t REG_DWORD /d "0" /f2⤵PID:3800
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueFirst" /t REG_DWORD /d "0" /f2⤵PID:1976
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCount" /t REG_DWORD /d "100" /f2⤵PID:420
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueIndex" /t REG_DWORD /d "42" /f2⤵PID:1884
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueName" /t REG_DWORD /d "0" /f2⤵PID:2528
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDescription" /t REG_DWORD /d "0" /f2⤵PID:3556
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabled" /t REG_DWORD /d "0" /f2⤵PID:4528
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "1" /f2⤵PID:4608
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueVisible" /t REG_DWORD /d "1" /f2⤵PID:4280
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueHidden" /t REG_DWORD /d "0" /f2⤵PID:2452
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadOnly" /t REG_DWORD /d "0" /f2⤵PID:4916
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadnv11" /t REG_DWORD /d "0" /f2⤵PID:3432
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuenv11Only" /t REG_DWORD /d "0" /f2⤵PID:3644
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueExecute" /t REG_DWORD /d "0" /f2⤵PID:788
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNoExecute" /t REG_DWORD /d "0" /f2⤵PID:4716
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueSystem" /t REG_DWORD /d "0" /f2⤵PID:2360
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueUser" /t REG_DWORD /d "0" /f2⤵PID:4388
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "100" /f2⤵PID:3080
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "0" /f2⤵PID:4684
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "0" /f2⤵PID:4056
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCustom" /t REG_DWORD /d "0" /f2⤵PID:2604
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAuto" /t REG_DWORD /d "1" /f2⤵PID:1224
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueManual" /t REG_DWORD /d "0" /f2⤵PID:216
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAutomatic" /t REG_DWORD /d "1" /f2⤵PID:328
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabledByDefault" /t REG_DWORD /d "1" /f2⤵PID:5004
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabledByDefault" /t REG_DWORD /d "0" /f2⤵PID:4680
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f2⤵PID:1736
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f2⤵PID:4256
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f2⤵PID:4416
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f2⤵PID:2276
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /F /V "Value" /T REG_SZ /d "Deny"2⤵PID:536
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /F /V "Value" /T REG_SZ /d "Deny"2⤵PID:992
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /F /V "Value" /T REG_SZ /d "Deny"2⤵PID:748
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /F /V "Value" /T REG_SZ /d "Deny"2⤵PID:4492
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /F /V "Value" /T REG_SZ /d "Deny"2⤵PID:3744
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1660
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2297E4E2-5DBE-466D-A12B-0F8286F0D9CA}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2816
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1904
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4768
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3640
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4724
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4824
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2544
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2480
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E390DF20-07DF-446D-B962-F5C953062741}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2620
-
C:\Windows\system32\reg.exeReg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3272
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /F /V "Value" /T REG_SZ /d "Deny"2⤵PID:1872
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /F /V "Value" /T REG_SZ /d "Deny"2⤵PID:4760
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" /F /V "AllowMessageSync" /T REG_DWORD /d 02⤵PID:3596
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d "1" /f2⤵PID:3660
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "sendcustomerdata" /t REG_DWORD /d "0" /f2⤵PID:3780
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "enabled" /t REG_DWORD /d "0" /f2⤵PID:4972
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "includescreenshot" /t REG_DWORD /d "0" /f2⤵PID:4752
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d "0" /f2⤵PID:3112
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d "0" /f2⤵PID:4088
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "SendTelemetry" /t REG_DWORD /d "3" /f2⤵PID:3960
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "qmenable" /t REG_DWORD /d "0" /f2⤵PID:4984
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "updatereliabilitydata" /t REG_DWORD /d "0" /f2⤵PID:2968
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "shownfirstrunoptin" /t REG_DWORD /d "1" /f2⤵PID:3864
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "skydrivesigninoption" /t REG_DWORD /d "0" /f2⤵PID:2784
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\ptwatson" /v "ptwoptin" /t REG_DWORD /d "0" /f2⤵PID:3324
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Firstrun" /v "disablemovie" /t REG_DWORD /d "1" /f2⤵PID:880
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "Enablelogging" /t REG_DWORD /d "0" /f2⤵PID:2248
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d "0" /f2⤵PID:376
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d "1" /f2⤵PID:2328
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "accesssolution" /t REG_DWORD /d "1" /f2⤵PID:1848
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "olksolution" /t REG_DWORD /d "1" /f2⤵PID:2268
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "onenotesolution" /t REG_DWORD /d "1" /f2⤵PID:1752
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "pptsolution" /t REG_DWORD /d "1" /f2⤵PID:3300
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "projectsolution" /t REG_DWORD /d "1" /f2⤵PID:2992
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d "1" /f2⤵PID:584
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "visiosolution" /t REG_DWORD /d "1" /f2⤵PID:2476
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "wdsolution" /t REG_DWORD /d "1" /f2⤵PID:456
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "xlsolution" /t REG_DWORD /d "1" /f2⤵PID:3696
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "agave" /t REG_DWORD /d "1" /f2⤵PID:4000
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "appaddins" /t REG_DWORD /d "1" /f2⤵PID:1144
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "comaddins" /t REG_DWORD /d "1" /f2⤵PID:3856
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "documentfiles" /t REG_DWORD /d "1" /f2⤵PID:2964
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "templatefiles" /t REG_DWORD /d "1" /f2⤵PID:3688
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:4396
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:3992
-
C:\Windows\system32\reg.exeReg.exe add "HKU\\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:4212
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4080
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4896
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1940
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4048
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1560
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4636
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3456
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1932
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\gazeInput" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3976
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Allow" /f2⤵PID:3188
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Prompt" /f2⤵PID:4516
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4688
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2344
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2540
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:116
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4092
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1216
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:4144
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:3776
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:5112
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f2⤵PID:2660
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f2⤵PID:4024
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f2⤵PID:4448
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f2⤵PID:4300
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f2⤵PID:924
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d "0" /f2⤵PID:192
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-280815Enabled" /t REG_DWORD /d "0" /f2⤵PID:2008
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d "0" /f2⤵PID:4504
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f2⤵PID:4248
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f2⤵PID:1772
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f2⤵PID:2688
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f2⤵PID:2052
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-202914Enabled" /t REG_DWORD /d "0" /f2⤵PID:540
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f2⤵PID:1120
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f2⤵PID:4488
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d "0" /f2⤵PID:2492
-
C:\Windows\system32\reg.exeReg.exe add "HKU\\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵PID:1984
-
C:\Windows\system32\reg.exeReg.exe add "HKU\\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f2⤵PID:2320
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3752
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1096
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1604
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1904
-
C:\Windows\system32\sc.exesc stop DiagTrack2⤵
- Launches sc.exe
PID:2460 -
C:\Windows\system32\sc.exesc config DiagTrack start= disabled2⤵
- Launches sc.exe
PID:2024 -
C:\Windows\system32\sc.exesc stop dmwappushservice2⤵
- Launches sc.exe
PID:240 -
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled2⤵
- Launches sc.exe
PID:3372 -
C:\Windows\system32\sc.exesc stop diagnosticshub.standardcollector.service2⤵
- Launches sc.exe
PID:4580 -
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled2⤵
- Launches sc.exe
PID:1552 -
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable2⤵PID:2876
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"2⤵PID:2808
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable2⤵PID:3860
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"2⤵PID:3820
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable2⤵PID:384
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"2⤵PID:3692
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable2⤵PID:2576
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2496
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2488 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2297E4E2-5DBE-466D-A12B-0F8286F0D9CA}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4960
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4800 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2364
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1492 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2328
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1848 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:5040
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3336 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E390DF20-07DF-446D-B962-F5C953062741}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4432
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3348
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4312
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3828
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1588
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Process Termination" /success:disable /failure:enable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"RPC Events" /success:disable /failure:enable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772 -
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"IPsec Driver" /success:disable /failure:enable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Other System Events" /success:disable /failure:enable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Security State Change" /success:disable /failure:enable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Security System Extension" /success:disable /failure:enable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"System Integrity" /success:disable /failure:enable2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2812
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:772
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1192
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1244
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\IE" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵PID:3028
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\IE" /v "SqmLoggerRunning" /t REG_DWORD /d "0" /f2⤵PID:4512
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Reliability" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵PID:4520
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Reliability" /v "SqmLoggerRunning" /t REG_DWORD /d "0" /f2⤵PID:2568
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵PID:4812
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "DisableOptinExperience" /t REG_DWORD /d "1" /f2⤵PID:3980
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "SqmLoggerRunning" /t REG_DWORD /d "0" /f2⤵PID:1124
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\AppV\CEIP" /v "CEIPEnable" /t REG_DWORD /d 0 /f2⤵PID:4576
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Messenger\Client" /v "CEIP" /t REG_DWORD /d "2" /f2⤵PID:656
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f2⤵PID:2136
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d "0" /f2⤵PID:4716
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /t REG_DWORD /d "1" /f2⤵PID:2360
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4388
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3080
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4684
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4056
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2604
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1224
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:216
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:328
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:5004
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4680
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f2⤵PID:1736
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f2⤵PID:4256
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f2⤵PID:4416
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "VDMDisallowed" /t REG_DWORD /d 1 /f2⤵PID:2276
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableEngine" /t REG_DWORD /d 1 /f2⤵PID:4976
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableWizard" /t REG_DWORD /d 1 /f2⤵PID:992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /t REG_DWORD /d 1 /f2⤵PID:748
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "SbEnable" /t REG_DWORD /d 0 /f2⤵PID:4492
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Steps-Recorder" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3744
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\DeviceHealthAttestationService" /v "DisableSendGenericDriverNotFoundToWER" /t REG_DWORD /d 1 /f2⤵PID:1660
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Settings" /v "DisableSendGenericDriverNotFoundToWER" /t REG_DWORD /d "1" /f2⤵PID:1596
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\DriverDatabase\Policies\Settings" /v "DisableSendGenericDriverNotFoundToWER" /t REG_DWORD /d "1" /f2⤵PID:2816
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\CloudContent" /v ConfigureWindowsSpotlight /t REG_DWORD /d 2 /f2⤵PID:3012
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\CloudContent" /v DisableThirdPartySuggestions /t REG_DWORD /d 1 /f2⤵PID:2700
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsSpotlightFeatures /t REG_DWORD /d 1 /f2⤵PID:2648
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f2⤵PID:3344
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f2⤵PID:4748
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f2⤵PID:2564
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f2⤵PID:1496
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f2⤵PID:3272
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f2⤵PID:1872
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f2⤵PID:4760
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f2⤵PID:3596
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f2⤵PID:3660
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵PID:3780
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f2⤵PID:1704
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f2⤵PID:4752
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f2⤵PID:2520
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f2⤵PID:1920
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f2⤵PID:4800
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f2⤵PID:2364
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f2⤵PID:1492
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f2⤵PID:2328
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f2⤵PID:3440
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d 0 /f2⤵PID:1148
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d 0 /f2⤵PID:1832
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f2⤵PID:4836
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f2⤵PID:3832
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"2⤵PID:3808
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable2⤵PID:3300
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"2⤵PID:2476
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable2⤵PID:456
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"2⤵PID:3696
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable2⤵PID:4000
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"2⤵PID:1144
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable2⤵PID:3856
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"2⤵PID:3688
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable2⤵PID:4396
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"2⤵PID:3992
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable2⤵PID:4212
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"2⤵PID:4080
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable2⤵PID:4896
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"2⤵PID:1940
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"2⤵PID:4048
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable2⤵PID:3948
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"2⤵PID:3800
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable2⤵PID:1976
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"2⤵PID:1708
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable2⤵PID:1932
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"2⤵PID:3188
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4516 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f2⤵PID:4688
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵PID:2344
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵PID:2540
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵PID:116
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d "0" /f2⤵PID:4092
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d "0" /f2⤵PID:1216
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f2⤵PID:4144
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f2⤵PID:3776
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵PID:5112
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d "1" /f2⤵PID:2660
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /t REG_DWORD /d "0" /f2⤵PID:4024
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f2⤵PID:4448
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "LimitEnhancedDiagnosticDataWindowsAnalytics" /t REG_DWORD /d "0" /f2⤵PID:4300
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /t REG_DWORD /d "0" /f2⤵PID:924
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f2⤵PID:192
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f2⤵PID:2008
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v "NoExplicitFeedback" /t REG_DWORD /d "1" /f2⤵PID:4504
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v "NoActiveHelp" /t REG_DWORD /d "1" /f2⤵PID:4248
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f2⤵PID:1772
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f2⤵PID:2688
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d "1" /f2⤵PID:2052
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d "1" /f2⤵PID:540
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "DoSvc" /t REG_DWORD /d "3" /f2⤵PID:1120
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /t REG_DWORD /d "1" /f2⤵PID:4488
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f2⤵PID:2492
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f2⤵PID:1984
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f2⤵PID:2320
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\DeviceHealthAttestationService" /v "DisableSendGenericDriverNotFoundToWER" /t REG_DWORD /d "1" /f2⤵PID:3752
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Settings" /v "DisableSendGenericDriverNotFoundToWER" /t REG_DWORD /d "1" /f2⤵PID:4992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\DriverDatabase\Policies\Settings" /v "DisableSendGenericDriverNotFoundToWER" /t REG_DWORD /d "1" /f2⤵PID:1096
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f2⤵PID:1604
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:1904
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f2⤵PID:1328
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵PID:2728
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Reliability" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵PID:3044
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Reliability" /v "SqmLoggerRunning" /t REG_DWORD /d "0" /f2⤵PID:2716
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵PID:3420
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "DisableOptinExperience" /t REG_DWORD /d "1" /f2⤵PID:1552
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "SqmLoggerRunning" /t REG_DWORD /d "0" /f2⤵PID:4572
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\IE" /v "SqmLoggerRunning" /t REG_DWORD /d "0" /f2⤵PID:3604
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d "1" /f2⤵PID:2464
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f2⤵PID:3820
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f2⤵PID:3784
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Peernet" /v "Disabled" /t REG_DWORD /d "0" /f2⤵PID:1820
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d "0" /f2⤵PID:2576
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d "0" /f2⤵PID:2496
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f2⤵PID:2032
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4424
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f2⤵PID:4592
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f2⤵PID:2248
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3876
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1628
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\DriverDatabase\Policies\Settings" /v "DisableSendGenericDriverNotFoundToWER" /t REG_DWORD /d "1" /f2⤵PID:4364
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:1640
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f2⤵PID:1016
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f2⤵PID:4480
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "0" /f2⤵PID:1168
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f2⤵PID:4600
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f2⤵PID:5040
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f2⤵PID:3336
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f2⤵PID:4432
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f2⤵PID:3348
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f2⤵PID:4312
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f2⤵PID:3828
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f2⤵PID:1588
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d "1" /f2⤵PID:3680
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f2⤵PID:460
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f2⤵PID:396
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Assistance\Client\1.0" /v "NoExplicitFeedback" /t REG_DWORD /d "1" /f2⤵PID:3636
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings" /v "ImplicitFeedback" /t REG_DWORD /d "0" /f2⤵PID:1028
-
C:\Windows\system32\sc.exesc stop WerSvc2⤵
- Launches sc.exe
PID:4344 -
C:\Windows\system32\sc.exesc config WerSvc start= disabled2⤵
- Launches sc.exe
PID:524 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:4896
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1940
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:4048
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "DontShowUI" /t REG_DWORD /d "1" /f2⤵PID:3948
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f2⤵PID:3800
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f2⤵PID:1976
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f2⤵PID:1708
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f2⤵PID:1932
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f2⤵PID:3188
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "DontShowUI" /t REG_DWORD /d 1 /f2⤵PID:4516
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f2⤵PID:4688
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f2⤵PID:2344
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f2⤵PID:2540
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f2⤵PID:116
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "AutoApproveOSDumps" /t REG_DWORD /d 0 /f2⤵PID:4092
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d 1 /f2⤵PID:1216
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d 1 /f2⤵PID:4144
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f2⤵PID:3776
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:5112
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2660
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:4024
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "DontShowUI" /t REG_DWORD /d "1" /f2⤵PID:4448
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f2⤵PID:4300
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f2⤵PID:924
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f2⤵PID:192
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f2⤵PID:2008
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f2⤵PID:4504
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "DontShowUI" /t REG_DWORD /d 1 /f2⤵PID:4248
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f2⤵PID:1772
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f2⤵PID:2688
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f2⤵PID:2052
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f2⤵PID:540
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "AutoApproveOSDumps" /t REG_DWORD /d 0 /f2⤵PID:1120
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d 1 /f2⤵PID:4488
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d 1 /f2⤵PID:2492
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\W3SVC" /v Start /t REG_DWORD /d 0 /f2⤵PID:1984
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f2⤵PID:2320
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f2⤵PID:3752
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f2⤵PID:4992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontShowUI" /t REG_DWORD /d "1" /f2⤵PID:1096
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f2⤵PID:1604
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f2⤵PID:1904
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f2⤵PID:1328
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f2⤵PID:2728
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f2⤵PID:3044
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontShowUI" /t REG_DWORD /d "1" /f2⤵PID:2716
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f2⤵PID:3420
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f2⤵PID:1552
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f2⤵PID:4572
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3604
-
C:\Windows\system32\reg.exeReg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineCore" /f2⤵PID:2464
-
C:\Windows\system32\reg.exeReg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineUA" /f2⤵PID:3820
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "StartupBoostEnabled" /t REG_DWORD /d "0" /f2⤵PID:3784
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "BackgroundModeEnabled" /t REG_DWORD /d "0" /f2⤵PID:2652
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "UseDpiScaling" /t REG_DWORD /d "0" /f2⤵PID:3788
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f2⤵PID:4068
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation" /v "DisableStartupSound" /t REG_DWORD /d "1" /f2⤵PID:4252
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f2⤵PID:1080
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f2⤵PID:2244
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f2⤵PID:2908
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ctfmon" /t REG_SZ /d "C:\Windows\System32\ctfmon.exe" /f2⤵
- Adds Run key to start application
PID:404 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\VideoSettings" /v "VideoQualityOnBattery" /t REG_DWORD /d "1" /f2⤵PID:2272
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f2⤵PID:1848
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f2⤵PID:1632
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵PID:4940
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵PID:4440
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f2⤵PID:4736
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f2⤵PID:1556
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f2⤵PID:4604
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵PID:4912
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f2⤵PID:520
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f2⤵PID:4672
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵PID:3940
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵PID:472
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f2⤵PID:1412
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵PID:4772
-
C:\Windows\system32\reg.exeReg.exe add "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:2040 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:1156
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f2⤵PID:940
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f2⤵PID:2940
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f2⤵PID:4080
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f2⤵PID:3368
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1936
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1940
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:560
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:3664
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f2⤵PID:4176
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f2⤵PID:2116
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f2⤵PID:3976
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f2⤵PID:2528
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f2⤵PID:4512
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵PID:3616
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f2⤵PID:1220
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f2⤵PID:5044
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f2⤵PID:3984
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f2⤵PID:2636
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f2⤵PID:236
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3644
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewymicrosoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2136
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2972
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3840
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:5012
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4908
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4360
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f2⤵PID:1260
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d "0" /f2⤵PID:1448
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f2⤵PID:4128
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:2080
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:3008
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2948
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:4680
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f2⤵PID:1736
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f2⤵PID:2532
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f2⤵PID:4288
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3656
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f2⤵PID:784
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f2⤵PID:992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "StartupBoostEnabled" /t REG_DWORD /d "0" /f2⤵PID:3652
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "BackgroundModeEnabled" /t REG_DWORD /d "0" /f2⤵PID:1384
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsDeviceSearchHistoryEnabled" /t REG_DWORD /d "0" /f2⤵PID:3844
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f2⤵PID:3740
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f2⤵PID:476
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f2⤵PID:2460
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2024
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:240
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3372
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4580
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2816
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d "5" /f2⤵PID:2564
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f2⤵PID:1496
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f2⤵PID:3272
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f2⤵PID:1872
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AllUpView" /v "AllUpView" /t REG_DWORD /d "0" /f2⤵PID:2096
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AllUpView" /v "Remove TaskView" /t REG_DWORD /d "1" /f2⤵PID:3596
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f2⤵PID:3660
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f2⤵PID:2876
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "2000" /f2⤵PID:2488
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f2⤵PID:4752
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f2⤵PID:4984
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f2⤵PID:1864
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f2⤵PID:376
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t REG_DWORD /d "1" /f2⤵PID:2644
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ExtendedUIHoverTime" /t REG_DWORD /d "196608" /f2⤵PID:4704
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DontPrettyPath" /t REG_DWORD /d "1" /f2⤵PID:5024
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f2⤵PID:5088
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f2⤵PID:1968
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t REG_DWORD /d "1" /f2⤵PID:1612
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f2⤵PID:1752
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f2⤵PID:1336
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f2⤵PID:3208
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f2⤵PID:4700
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f2⤵PID:2476
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInstrumentation" /t REG_DWORD /d "1" /f2⤵PID:4648
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".tif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:444
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".tiff" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:1676
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".bmp" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:1784
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".dib" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:2112
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".gif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:960
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jfif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:1948
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpe" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:4016
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpeg" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:2180
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpg" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:4964
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jxr" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:2764
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".png" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f2⤵PID:4840
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v ContentEvaluation /t REG_DWORD /d "0" /f2⤵PID:552
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f2⤵PID:1560
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableAutomaticRestartSignOn" /t REG_DWORD /d "1" /f2⤵PID:4636
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SYSTEM\GameConfigStore\Children\fefe78e0-cf54-411d-9154-04b8f488bea2" /v "Flags" /t REG_DWORD /d "529" /f2⤵PID:3456
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:420
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1244
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:3028
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d "0" /f2⤵PID:3556
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d "0" /f2⤵PID:4520
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseActionCenterExperience" /t REG_DWORD /d "0" /f2⤵PID:2568
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices" /v "TCGSecurityActivationDisabled" /t REG_DWORD /d "0" /f2⤵PID:4812
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f2⤵PID:3980
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f2⤵PID:1124
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "12" /f2⤵PID:4576
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f2⤵PID:656
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f2⤵PID:436
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f2⤵PID:4716
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v "AllowPinnedFolderDocuments" /t REG_DWORD /d "1" /f2⤵PID:2360
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v "AllowPinnedFolderDocuments_ProviderSet" /t REG_DWORD /d "1" /f2⤵PID:4388
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v "AllowPinnedFolderDownloads" /t REG_DWORD /d "1" /f2⤵PID:3080
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v "AllowPinnedFolderDownloads_ProviderSet" /t REG_DWORD /d "1" /f2⤵PID:4684
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v "AllowPinnedFolderPersonalFolder" /t REG_DWORD /d "1" /f2⤵PID:4056
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v "AllowPinnedFolderPersonalFolder_ProviderSet" /t REG_DWORD /d "1" /f2⤵PID:2604
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v "AllowPinnedFolderFileExplorer" /t REG_DWORD /d "1" /f2⤵PID:924
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v "AllowPinnedFolderFileExplorer_ProviderSet" /t REG_DWORD /d "1" /f2⤵PID:216
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop" /v "FFlags" /t REG_DWORD /d "1075839525" /f2⤵PID:328
-
C:\Windows\system32\net.exenet stop w32time2⤵
- System Time Discovery
PID:5004 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:4248 -
C:\Windows\system32\w32tm.exew32tm /unregister2⤵PID:2516
-
C:\Windows\system32\w32tm.exew32tm /register2⤵
- Server Software Component: Terminal Services DLL
- Boot or Logon Autostart Execution: Time Providers
PID:1736 -
C:\Windows\system32\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:YES2⤵PID:2532
-
C:\Windows\system32\net.exenet start w32time2⤵
- System Time Discovery
PID:4288 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start w32time3⤵
- System Time Discovery
PID:3656 -
C:\Windows\system32\w32tm.exew32tm /config /update2⤵PID:1596
-
C:\Windows\system32\w32tm.exew32tm /resync /rediscover2⤵PID:4768
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f2⤵
- Modifies visibility of file extensions in Explorer
PID:3012 -
C:\Windows\system32\reg.exeReg.exe add "HKCR\lnkfile" /v "NeverShowExt" /f2⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2700 -
C:\Windows\system32\reg.exeReg.exe add "HKCR\IE.AssocFile.URL" /v "NeverShowExt" /f2⤵
- Modifies registry class
PID:2648 -
C:\Windows\system32\reg.exeReg.exe add "HKCR\IE.AssocFile.WEBSITE" /v "NeverShowExt" /f2⤵
- Modifies registry class
PID:3344 -
C:\Windows\system32\reg.exeReg.exe add "HKCR\InternetShortcut" /v "NeverShowExt" /f2⤵
- Modifies registry class
PID:4464 -
C:\Windows\system32\reg.exeReg.exe add "HKCR\Microsoft.Website" /v "NeverShowExt" /f2⤵
- Modifies registry class
PID:2716 -
C:\Windows\system32\reg.exeReg.exe add "HKCR\piffile" /v "NeverShowExt" /f2⤵
- Modifies system executable filetype association
- Modifies registry class
PID:3420 -
C:\Windows\system32\reg.exeReg.exe add "HKCR\SHCmdFile" /v "NeverShowExt" /f2⤵
- Modifies registry class
PID:1552 -
C:\Windows\system32\reg.exeReg.exe add "HKCR\LibraryFolder" /v "NeverShowExt" /f2⤵
- Modifies registry class
PID:4572 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "JPEGImportQuality" /t REG_DWORD /d "100" /f2⤵PID:3604
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "AltTabSettings" /t REG_DWORD /d "1" /f2⤵PID:2464
-
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f2⤵PID:3820
-
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f2⤵
- Hijack Execution Flow: Executable Installer File Permissions Weakness
PID:3784 -
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:2652 -
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:1704 -
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f2⤵PID:4068
-
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:2520 -
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "0" /f2⤵PID:1080
-
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f2⤵PID:2244
-
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:2908 -
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f2⤵PID:404
-
C:\Windows\system32\taskkill.exetaskkill /im discord.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Diagnosis" /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1968 -
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612 -
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752 -
C:\Windows\system32\attrib.exeATTRIB -r "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"2⤵
- Views/modifies file attributes
PID:5040 -
C:\Windows\system32\attrib.exeATTRIB +r "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"2⤵
- Views/modifies file attributes
PID:4700 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:456
-
C:\Windows\System32\cleanmgr.exe"C:\Windows\System32\cleanmgr.exe" /sagerun:502⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\40973B2D-E592-46E4-AC58-3A5490082D19\dismhost.exeC:\Users\Admin\AppData\Local\Temp\40973B2D-E592-46E4-AC58-3A5490082D19\dismhost.exe {ED3B8799-94A1-417F-B8E0-0B30B37E2D4E}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:328
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f2⤵PID:2688
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f2⤵PID:1736
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1288
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f2⤵PID:4276
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f2⤵PID:3656
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:4288
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1596
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f2⤵PID:476
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f2⤵PID:1904
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:240
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:3372
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:4580
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:2816
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:2564
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:1496
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:3272
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable2⤵PID:1872
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable2⤵PID:2096
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable2⤵PID:3596
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable2⤵PID:3660
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:3788
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable2⤵PID:2488
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable2⤵PID:4752
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:4984
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable2⤵PID:1864
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:376
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:2644
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable2⤵PID:4704
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable2⤵PID:1848
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable2⤵PID:5088
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable2⤵PID:1832
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable2⤵PID:1168
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable2⤵PID:4600
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable2⤵PID:3808
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable2⤵PID:1556
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable2⤵PID:4432
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable2⤵PID:3348
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable2⤵PID:1340
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable2⤵PID:1412
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:4396
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:1156
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable2⤵PID:524
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable2⤵PID:2392
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable2⤵PID:2812
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable2⤵PID:2752
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:1040
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable2⤵PID:824
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable2⤵PID:3056
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable2⤵PID:2456
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable2⤵PID:1964
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable2⤵PID:652
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable2⤵PID:3556
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable2⤵PID:2528
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable2⤵PID:2568
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable2⤵PID:4588
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable2⤵PID:736
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable2⤵PID:1632
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable2⤵PID:1560
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:5044
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:4932
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable2⤵PID:940
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable2⤵PID:3984
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable2⤵PID:4092
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable2⤵PID:236
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable2⤵PID:3644
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable2⤵PID:2136
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable2⤵PID:1468
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable2⤵PID:3840
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable2⤵PID:5012
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable2⤵PID:4908
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable2⤵PID:4956
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable2⤵PID:1224
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable2⤵PID:1448
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable2⤵PID:216
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable2⤵PID:4504
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable2⤵PID:1940
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable2⤵PID:3856
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable2⤵PID:4072
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable2⤵PID:3696
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable2⤵PID:2688
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Discord" /t REG_BINARY /d "0300000066AF9C7C5A46D901" /f2⤵PID:4376
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Synapse3" /t REG_BINARY /d "030000007DC437B0EA9FD901" /f2⤵PID:3844
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Spotify" /t REG_BINARY /d "0300000070E93D7B5A46D901" /f2⤵PID:4488
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "EpicGamesLauncher" /t REG_BINARY /d "03000000F51C70A77A48D901" /f2⤵PID:4976
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "RiotClient" /t REG_BINARY /d "03000000A0EA598A88B2D901" /f2⤵PID:4640
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Steam" /t REG_BINARY /d "03000000E7766B83316FD901" /f2⤵PID:1596
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "TranslateEnabled" /t REG_DWORD /d "1" /f2⤵PID:476
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "TaskManagerEndProcessEnabled" /t REG_DWORD /d "1" /f2⤵PID:1904
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "UserFeedbackAllowed" /t REG_DWORD /d "0" /f2⤵PID:240
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SpellCheckServiceEnabled" /t REG_DWORD /d "0" /f2⤵PID:3372
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SpellcheckEnabled" /t REG_DWORD /d "0" /f2⤵PID:4580
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MediaRouterCastAllowAllIPs" /t REG_DWORD /d "1" /f2⤵PID:2816
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AllowDinosaurEasterEgg" /t REG_DWORD /d "1" /f2⤵PID:2564
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultGeolocationSetting" /t REG_DWORD /d "2" /f2⤵PID:1496
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultCookiesSetting" /t REG_DWORD /d "1" /f2⤵PID:3272
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultFileHandlingGuardSetting" /t REG_DWORD /d "3" /f2⤵PID:1872
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultFileSystemReadGuardSetting" /t REG_DWORD /d "3" /f2⤵PID:2096
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultFileSystemnv11GuardSetting" /t REG_DWORD /d "3" /f2⤵PID:3596
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultImagesSetting" /t REG_DWORD /d "1" /f2⤵PID:3660
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultPopupsSetting" /t REG_DWORD /d "2" /f2⤵PID:3788
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultSensorsSetting" /t REG_DWORD /d "2" /f2⤵PID:2488
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultSerialGuardSetting" /t REG_DWORD /d "2" /f2⤵PID:4752
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultWebBluetoothGuardSetting" /t REG_DWORD /d "2" /f2⤵PID:4984
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultWebUsbGuardSetting" /t REG_DWORD /d "2" /f2⤵PID:1864
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "EnableMediaRouter" /t REG_DWORD /d "1" /f2⤵PID:376
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ShowCastIconInToolbar" /t REG_DWORD /d "1" /f2⤵PID:2644
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "CloudPrintProxyEnabled" /t REG_DWORD /d "0" /f2⤵PID:4364
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "PrintRasterizationMode" /t REG_DWORD /d "0" /f2⤵PID:1148
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "PrintingEnabled" /t REG_DWORD /d "1" /f2⤵PID:3440
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DefaultPluginsSetting" /t REG_DWORD /d "1" /f2⤵PID:4480
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SafeBrowsingProtectionLevel" /t REG_DWORD /d "0" /f2⤵PID:1968
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SafeBrowsingExtendedReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:1752
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "HomepageIsNewTabPage" /t REG_DWORD /d "0" /f2⤵PID:2212
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "HomepageLocation" /t REG_SZ /d "google.com" /f2⤵PID:3336
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "NewTabPageLocation" /t REG_SZ /d "google.com" /f2⤵PID:4912
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome\Recommended" /v "MetricsReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:4648
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome\Recommended" /v "DeviceMetricsReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:3680
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Google\Chrome\Recommended" /v "MetricsReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:460
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Google\Chrome\Recommended" /v "DeviceMetricsReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:396
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:4016
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DeviceMetricsReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:4080
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:4048
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "DeviceMetricsReportingEnabled" /t REG_DWORD /d "0" /f2⤵PID:4840
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "Install{8A69D345-D564-463C-AFF1-A69D9E530F96}" /t REG_DWORD /d "5" /f2⤵PID:1708
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "TargetChannel{8A69D345-D564-463C-AFF1-A69D9E530F96}" /t REG_SZ /d "stable" /f2⤵PID:1488
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" /t REG_DWORD /d "3" /f2⤵PID:2368
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "Install{4CCED17F-7852-4AFC-9E9E-C89D8795BDD2}" /t REG_DWORD /d "0" /f2⤵PID:956
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "AutoUpdateCheckPeriodMinutes" /t REG_DWORD /d "43200" /f2⤵PID:4400
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "DownloadPreference" /t REG_SZ /d "cacheable" /f2⤵PID:416
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "UpdatesSuppressedStartHour" /t REG_DWORD /d "23" /f2⤵PID:1824
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "UpdatesSuppressedStartMin" /t REG_DWORD /d "48" /f2⤵PID:3188
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Google\Update" /v "UpdatesSuppressedDurationMin" /t REG_DWORD /d "55" /f2⤵PID:4528
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4128 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.People* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3984 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4360 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4472 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsAlarms* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsCamera* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2564 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1980 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsMaps* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1848 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3876 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:520 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4080 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1724 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2508 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:924 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.3dBuilder* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4592 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4640 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4440 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:668 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1340 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4292 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *Sway* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2528 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *WindowsAlarms* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:724 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *zune* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2700 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage Microsoft.MicrosoftEdge_41.16299.1004.0_netural__8wekyb3d8bbwe|Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4680 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:328
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('select adjust for best performanceAnd select Show Thumbnails Instead of icans, smooth edges on screen fonts and press apply', 'MAHO TWEAKS', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
PID:924 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:1596
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
PID:1904 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f2⤵PID:3344
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1644 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f2⤵PID:3788
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2496 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f2⤵PID:2464
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2208 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f2⤵PID:1148
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4760 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f2⤵PID:4968
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4800 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v "PeopleBand" /t REG_DWORD /d "0" /f2⤵PID:4904
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3664 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:1080
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2644 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d "0" /f2⤵PID:4364
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1852 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider" /v "RestoreConnection" /t REG_DWORD /d 0 /f2⤵PID:768
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1628 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_dWORD /d 1 /f2⤵PID:1880
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3832 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v "ShellFeedsTaskbarViewMode" /t REG_DWORD /d 2 /f2⤵PID:1600
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1112 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v DisableSoftLanding /t REG_DWORD /d 1 /f2⤵PID:4700
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4772 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d "1" /f2⤵PID:4912
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:4840 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f2⤵PID:524
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1708 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d "0" /f2⤵PID:5004
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d "0" /f2⤵PID:3380
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v "Theme" /t REG_DWORD /d "1" /f2⤵
- Modifies registry class
PID:3556 -
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:876 -
C:\Windows\system32\reg.exeReg.exe add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_SZ /d "2147483650" /f2⤵
- Modifies data under HKEY_USERS
PID:1660 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f2⤵PID:4280
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f2⤵
- Modifies data under HKEY_USERS
PID:2568 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f2⤵PID:1648
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:1040 -
C:\Windows\system32\reg.exeReg.exe add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f2⤵
- Modifies data under HKEY_USERS
PID:4012 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f2⤵PID:3352
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f2⤵PID:1140
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "24" /f2⤵PID:3940
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f2⤵PID:1392
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "18" /f2⤵PID:2784
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f2⤵PID:2500
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f2⤵PID:2940
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵PID:3636
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵PID:416
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "TdrLevel" /t REG_DWORD /d "0" /f2⤵PID:4448
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "TdrDebugMode" /t REG_DWORD /d "0" /f2⤵PID:2452
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1016 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f2⤵PID:2972
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "TdrDebugMode" /t REG_DWORD /d "0" /f2⤵PID:2200
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "TdrLevel" /t REG_DWORD /d "0" /f2⤵PID:2004
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f2⤵PID:1216
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f2⤵PID:4588
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f2⤵PID:2360
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f2⤵PID:4208
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v TdrLevel /t REG_DWORD /d 0 /f2⤵PID:4084
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v TdrDelay /t REG_DWORD /d 60 /f2⤵PID:3096
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3356 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnablePreemption" /t REG_DWORD /d "0" /f2⤵PID:4988
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "GPUPreemptionLevel" /t REG_DWORD /d "0" /f2⤵PID:2604
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableAsyncMidBufferPreemption" /t REG_DWORD /d "0" /f2⤵PID:3776
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidGfxPreemptionVGPU" /t REG_DWORD /d "0" /f2⤵PID:4684
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidBufferPreemptionForHighTdrTimeout" /t REG_DWORD /d "0" /f2⤵PID:2892
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableSCGMidBufferPreemption" /t REG_DWORD /d "0" /f2⤵PID:3696
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "PerfAnalyzeMidBufferPreemption" /t REG_DWORD /d "0" /f2⤵PID:4472
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidGfxPreemption" /t REG_DWORD /d "0" /f2⤵PID:2948
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidBufferPreemption" /t REG_DWORD /d "0" /f2⤵PID:1448
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableCEPreemption" /t REG_DWORD /d "0" /f2⤵PID:2992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "DisableCudaContextPreemption" /t REG_DWORD /d "0" /f2⤵PID:2276
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "DisablePreemptionOnS3S4" /t REG_DWORD /d "0" /f2⤵PID:656
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "ComputePreemptionLevel" /t REG_DWORD /d "0" /f2⤵PID:3932
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "DisablePreemption" /t REG_DWORD /d "1" /f2⤵PID:540
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_videocontroller get PNPDeviceID | findstr /L "VEN_"2⤵PID:1120
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get PNPDeviceID3⤵PID:2532
-
C:\Windows\system32\findstr.exefindstr /L "VEN_"3⤵PID:2132
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f2⤵PID:2192
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /t REG_DWORD /d "0" /f2⤵PID:216
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1328 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:924
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4960
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3724 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f2⤵PID:2564
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f2⤵PID:2096
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f2⤵PID:4640
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f2⤵PID:384
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f2⤵PID:2072
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f2⤵PID:4620
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f2⤵PID:1920
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f2⤵PID:3692
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f2⤵PID:4936
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "QosManagesIdleProcessors" /t REG_DWORD /d "0" /f2⤵PID:2520
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DisableVsyncLatencyUpdate" /t REG_DWORD /d "0" /f2⤵PID:4508
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DisableSensorWatchdog" /t REG_DWORD /d "1" /f2⤵PID:1464
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:1832
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InterruptSteeringDisabled" /t REG_DWORD /d "1" /f2⤵PID:1916
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LowLatencyScalingPercentage" /t REG_DWORD /d "100" /f2⤵PID:2908
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f2⤵PID:1852
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f2⤵PID:768
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:1628
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:1880
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:3832
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:1600
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "0" /f2⤵PID:4432
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f2⤵PID:460
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f2⤵PID:3348
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f2⤵PID:2792
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f2⤵PID:3336
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f2⤵PID:1788
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f2⤵PID:3600
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f2⤵PID:3676
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f2⤵PID:2052
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f2⤵PID:772
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f2⤵PID:3428
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f2⤵PID:4832
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f2⤵PID:4256
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f2⤵PID:1020
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f2⤵PID:4520
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f2⤵PID:1220
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f2⤵PID:1964
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f2⤵PID:824
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f2⤵PID:4512
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f2⤵PID:3268
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f2⤵PID:4080
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f2⤵PID:2456
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f2⤵PID:2764
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DisableVsyncLatencyUpdate" /t REG_DWORD /d "0" /f2⤵PID:4216
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DisableSensorWatchdog" /t REG_DWORD /d "1" /f2⤵PID:4688
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InterruptSteeringDisabled" /t REG_DWORD /d "1" /f2⤵PID:4344
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f2⤵PID:1392
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f2⤵PID:2784
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f2⤵PID:2500
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f2⤵PID:2940
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f2⤵PID:3636
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f2⤵PID:4468
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f2⤵PID:4056
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f2⤵PID:1124
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f2⤵PID:4172
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LowLatencyScalingPercentage" /t REG_DWORD /d "100" /f2⤵PID:1908
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f2⤵PID:3040
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "0" /f2⤵PID:5068
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f2⤵PID:1804
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f2⤵PID:2540
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f2⤵PID:4576
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f2⤵PID:5012
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f2⤵PID:60
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f2⤵PID:436
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f2⤵PID:1580
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f2⤵PID:4388
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f2⤵PID:5096
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f2⤵PID:4072
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f2⤵PID:4716
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f2⤵PID:4264
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f2⤵PID:1224
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f2⤵PID:4360
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f2⤵PID:992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f2⤵PID:3436
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f2⤵PID:2404
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f2⤵PID:2152
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f2⤵PID:3644
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f2⤵PID:5032
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f2⤵PID:4472
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f2⤵PID:2948
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f2⤵PID:1448
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "MonitorLatencyTolerance" /t REG_DWORD /d "0" /f2⤵PID:2992
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "0" /f2⤵PID:2276
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "0" /f2⤵PID:656
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "0" /f2⤵PID:3932
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "RMDisablePostL2Compression" /t REG_DWORD /d "1" /f2⤵PID:540
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "RmDisableRegistryCaching" /t REG_DWORD /d "1" /f2⤵PID:3656
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3460 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "QosManagesIdleProcessors" /t REG_DWORD /d "0" /f2⤵PID:3768
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f2⤵PID:2620
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f2⤵PID:1120
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f2⤵PID:2192
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:216
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f2⤵PID:1328
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f2⤵PID:924
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\NVTweak" /v "DisplayPowerSaving" /t Reg_DWORD /d "0" /f2⤵PID:4960
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f2⤵PID:2808
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\nvlddmkm\Global\NVTweak" /v "DisplayPowerSaving" /t REG_DWORD /d "0" /f2⤵PID:1496
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\NVTweak" /v "DisplayPowerSaving" /t REG_DWORD /d "0" /f2⤵PID:4972
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "TCCSupported" /t REG_DWORD /d "0" /f2⤵PID:3784
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\NVIDIA Corporation\Global\NVTweak\Devices\509901423-0\Color" /v "NvCplUseColorCorrection" /t REG_DWORD /d "0" /f2⤵PID:2464
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "PlatformSupportMiracast" /t REG_DWORD /d "0" /f2⤵PID:1136
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID73779 /t REG_DWORD /d 1 /f2⤵PID:4652
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID73780 /t REG_DWORD /d 1 /f2⤵PID:4752
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID74361 /t REG_DWORD /d 1 /f2⤵PID:1980
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f2⤵PID:4836
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f2⤵PID:2520
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f2⤵PID:3664
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f2⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s w32time1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4636
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Time Providers
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Power Settings
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Time Providers
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
3Hidden Files and Directories
3Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD52f8f3230bbc42e379a1554ca3419d46d
SHA148ba89d52c74a8305673d502a342c390ba0c5511
SHA2563efe94e50d33a368dca95d1b612243aec88ddbd1353245769c79b82fc857ae09
SHA51246258013b5450494eedb16dcfc2142f54876b86048210a7b102096cc42502a28879fba3e193ce1116c8f1046d1178a60a2436270e94cc5002593b82f2d57156d
-
Filesize
3KB
MD54e50615fbb2682d496773c1e3985a98e
SHA167413638787fdae9a8fb43c128811faf7dabc8ce
SHA256a13af49afd14efc8d114fbfd0ae7311482cd7af29c3d0cfc2b18be76c872bf94
SHA512852df909000e14c6e1c35bbff1602ddcf04756e17eee788cd1c78131e18e3b0f7034aa5b29e3c39957d667719956b3876fd001269e4fb9672a8db2e89ae8c79b
-
Filesize
1KB
MD5ff14504757cbde29afd07695ad26106d
SHA1129c7e3f519d6c42eada4840881aa0f2c59582ea
SHA256a03cd94f0b8e5f849f6cbeac700697c1a79d4fafc96c74c81cc61cd9eaafd991
SHA512d5d995f8adefba28ea6b45b6b411081ee77775b96f3d5f85bd7593e23d97399035d460557c205b2c7bdc790a2b53cffabbb445a51a97c5753ae35db15bb12d1d
-
Filesize
1KB
MD579629b3f9322bfab4fbf46ef7904952c
SHA17039fc0732f777455e3244aa317318130660ea29
SHA2561f598ee37fa92a57d108a58e35f7594cd0a22195d007754d24f07d9ec2a645cb
SHA5120aa8116b59ee805299faaa7b88100fd4f52b96eb5398d03fb566ed9ffbac3e36e370324a41ac0c309ea513d9327ac6027ebe3ed940bdbc3a0388f79fa88607d0
-
Filesize
1KB
MD5a756d78e79da34cb6fbdd30e24382767
SHA14a6b98601cdf11e30581222b7491b682d200eec9
SHA2566f9c3f32f7713e0521b9a6f85d64731d334654c241b431971fbdc32b4e7cfee7
SHA512eab8932a1c55c782e9313b6ab9f3a80f8522f0f644afbe704eee054f0fad7823b1df02ea5e90ad23db3ea05134c15a15f0db45599a01b91d032c39e47a484b30
-
Filesize
1KB
MD5b6b0909e187d4c120837b82ebd28b780
SHA1c9e3d6c10aa8dd73faa5a0ad9c589b7498b35c48
SHA2569ebaa89c7ccb04a4bcd9836d7fe097cc25fef33891ae7e11586e02d3b98aff29
SHA5121101c669fab98815016c471897f589acb69fd70cc0de5c7180887c5a692c477bf52f97337d792d210d632e3a42226cb27e9165aac21a9a8cdaf697276fe73c27
-
Filesize
1KB
MD50aed6732156b1039f5bbde6435b2a864
SHA11dbbbc62527e894913be7522056b7a304d6c55a3
SHA2568aa0196e4329549e5aa48dd537cf179967ea95bb920a0cdc27b7a3a82d656c77
SHA512b728ef0e97b26a201f750340b003635ad97980fcdba814a442a8b9e40f880de012cab22b99bb5f6c9f10f5b1d4047a526af6417f9ebfbcaa3e44ab3faeb57d01
-
Filesize
1KB
MD5a72b760bae188bcd02a8d37ee0061ef1
SHA145424ef7f49b2c32348bc3cb04c8bbed70870908
SHA2567bc4697d79c950cc78bb6bb9d780fc8c5ad9261c7de11dab887eaa94f28e397f
SHA5125139aaa02b8f588c00f883460baa6f590f50c223942d41d4fd284803c932a5374eab3d9d8adbdef7b7241c3dec69f680179deacd9e48c64ec5ff87b9f4c58ff7
-
Filesize
1KB
MD5699b4018a3cdebd3ab16b7d9618b862a
SHA11988f6cc8088fcb7bda828f72017d4caa2ae6552
SHA25630cefa33285a75e080f9275c7a1cb2fb0689625db60b8ed967c1c3a5514867bb
SHA5126c7b61f081c4767f494d18af27e51d2a246a76f5580ff73b83ef569cb7e52cc3cae210aa9e487efe6e6a36a77c335089ba93db9ff61f338217669d88f43d0999
-
Filesize
1KB
MD54b21ae73f4422a0c424a6a02bbca2b5c
SHA1f176785858063e8ae8700700686b76acc3783642
SHA2563716cb7f93bae0c98dfbfa053b2fc062bf7d1705d702b267487dd4deb3ca05fb
SHA512b7e5a128e5a53722904472cc425445a9feaac324bd78003aabf185f62ab148b5636c84db6e648d9e8e722aa66c955116e933bc169750a3a0d187a1efc01f8234
-
Filesize
1KB
MD55b709e08923b301674178537b6fe5521
SHA1be6b44a4d5cd7bf90fed4e5eee30860b4810156b
SHA256c255b4a949ddad495b1452d5b10277053ffe31de4ca955e3254895ab658798a0
SHA5120c9b5d453252d6104ee904a45bb03f4fe745d4e47caa1d30ec494640b0e5e754c850854bf9b62d7d19a28a85313211e0a5c03888d08c7b754dd7788a67a12b4b
-
Filesize
1KB
MD5c1d3b46250cf32eb34124fae00f84eed
SHA11f3dfaaa21a7d24024e338b489873efb55ced55e
SHA256df7bf206ba4ce6f71935f4363834c38af73c7caa1bc8c8585b0b3f12b7ce36fe
SHA51253b80426885d4d6c23125afc26cfd98543698cb51bc7004124284f75fb636bf459d8282012edef575806fad1a39c3ae2d684630f72f9dfd3ec04e539bf96f89e
-
Filesize
1KB
MD59494a0f45522f91fdd20376c1106aa98
SHA1c76dcdaccde130c2662fb29115b486073abe1509
SHA256a1be40431620640589faca302c3e959fc413a427e646b4777be927992aa7cb82
SHA512633cc657355894db61168ef327d5846c1059693a9ef1c5769697377b6cbb6bb4f5249f7b7aecef4eac0ca9b7c16eb41ed1cbc374c628a0118b918195a89c24af
-
Filesize
1KB
MD5936fc77a0c6b8754c65302fa402d9099
SHA1c72b30799b15de32a46a602cfaee4dbbf739f59a
SHA2560f97a41a2128b0e7d25aa296cba9f8ccfa1974ca87922790c1b25eaa80aa9489
SHA512834af32b2a365956f78ec2f152eea6b976ed39a6cc1299d605d4df43c29c1f3e88c021aa0599e5c0868d443d563c33d7e3a548e210d0596db2157f5c7174e7fc
-
Filesize
1KB
MD590a0a28e3211951be4a41d54f1160c81
SHA1437c398126d5b00bbd16ffcd5055a0d497e4e6a3
SHA256032c19cbf713c02592360a67f1e2644f20138ab926b68f195acaa99657288ed0
SHA51263628701f8cb9a0478bcb77fb1826b7e839c138fa4dbcc166aa39011072441ce8e655c2136461fc193be386165f915885b2db3ee0ed6f1b3f96317662d4127b4
-
Filesize
1KB
MD595f3b133b020a554dc7ce8f6b0255494
SHA1129097125665cc9caa7a2b7a2eb4f6f54e3a24a5
SHA256dd62d10389fe5ca6cc466d5b3c42bd3abc6ba875b799b4e844f9a80c8dbef487
SHA512367edbe4d1d2cbd1d212e93e6ea1bcc1396957b6e433afedb324b2524f1ab6c67af186e18bb368b0a7964a4ee1eab88501736cad8bec5b20dd70a14397473bd7
-
Filesize
1KB
MD5b1c95803b45d83e4088f82eadcc5cefd
SHA1ab1cdbd0aeb25a4c684ef12cb710bccf9be697d5
SHA2562071d77cb5baf20a2aef995cf82e63d614645fbe45250344aac112f8fffbbaa3
SHA51202f8a94dd73a973eb7bbe1b85f0c97f476b6a356206f031db717880b327352715a38c39d9081880713351698d651c5f33a360a72c64300c934acd8cc64a3b2ee
-
Filesize
1KB
MD595470d77fb39dc92eab860822afc07ef
SHA1baf573172c89c4441808747caacd0b36a8976d42
SHA256a8499d7f720de9cca515c2116ba37f47d5f4bcc598c90f80d2bcdddcedb96b86
SHA5122285c550e10013abc18070ed0a67a938f5f9c7f96297150093cb048055e13ae462067f291977080afae3a2a7d01f20d9b7d2049a6a11ed2e33beec3ae1631e13
-
Filesize
1KB
MD5ecafa2af87648f7727c2f561dda70eb4
SHA1c922a023b904ee2938a2cb2646cf0fc78c508f44
SHA256948519b1f919e88bca78249fa698ae967e81b2eab7b6e06648b4a3d0f322c2c3
SHA5123cfc50d2b39c9a9ea3efc2ee16e39ac49c20a1f1e98fb686220bfe3aefb74a7cefcfecdbff12726b0ce8da5af8b1b646a8c7a5e4a75eae47fc40fe09599f8fe7
-
Filesize
1KB
MD513250eda7807fccd367edd6d0900ba10
SHA14ab1433aa66f28602e7d37c0f488c6f9ae1631b8
SHA2569fd3f9e579da545f120f70be8e3a7ceb5b6e95ba923ad55e1ff9afb8464c80f6
SHA512e66d66e7469928bd294c261225fde183c2c6416924285eee1b4b36fffd5a91bf44de75daf6c7945c5ef2e89a6ab28e05dd896518dd4105b99df0f405a050b23c
-
Filesize
1KB
MD560a75fb1d9ed1cee580e40209d9578d0
SHA10897c0f32ce3367e67f46338491b5779e97dc2e1
SHA256ba41eeef19d01991deaf98eae970721c81bf9c8c7d9c4a4f47bd622fd0a70e86
SHA5125ea21def1f39ecd4f822b934409b5ad7a8d39f4561edf64e44897b54d2b86911552da982dab6470830bf66b1c1a6aa6e81f2b5bfa706d385c63cf31487745748
-
Filesize
1KB
MD55d8cab6d22b6dda8aacf0b9a2f44ed81
SHA160151adbd9acfa6636dd5404a73bb3298d548617
SHA256983f03c4a9472684040a913a68e6bd3868a44a27e6e11ddbb91e221be19d881c
SHA5120c29362d084e6a44041c259a8755be687ca8bb2dfbe9dfe94d589cb8b99d201d900caeeaa6e37476529e3902ea59ce214de6e41e670741c74b099488f26d3233
-
Filesize
1KB
MD5fbc2f1a137edeb0198e94ddcade6e6e9
SHA10b03940d4c9ead03c5fe7a60bc7e25e8077e0172
SHA25675fb7ae07847add9ce4fdeba685a5d64a4bf337e0c2d97673a33af5da4b08632
SHA512f65a560b6419ffed45f4b1709018c29c70fc7b97974acb5bf27f1ebe348499fefc5d1aeb4ef9bd419130b3101a9b0ee67c4c962c9acb64bc8b8e31aa1e8dd39d
-
Filesize
1KB
MD53253cd4c92f8b9978bcd87addb3aa459
SHA11034ee3a11ee8b230337e43650995079c913eb7b
SHA256da66855f8ce1d2233b9a40123784816d95bf5f216fb5ccb678d0d7909b63b3ad
SHA5124d471a323edac9d0dfbb51887962117fce5200cb9653b3a7c1bf991bbdfba195e293c0f845f08d303b6f211940640a2001cac90b72bebb08e400e07c53b81bc7
-
Filesize
1KB
MD5297efb5df6a2ffecfceab74bc70c5443
SHA100e5c37d7936e2a116a0e1c593a64f4071ecf623
SHA25663bc698d05635d7178b608740d1c4517f1b4762cc082747c2ff7700cf45bf272
SHA512efa34f6441375761c7150de51eade07a89d7691ef91995146272517aeeb996a1e431945321918221f0398b809900dc58702d8a2b31af63d1a85d3a132c8fc1a4
-
Filesize
1KB
MD5cbd479be9d3afd30ccaa41518e462288
SHA1a71a13a5fa0b85c6a3e7c1eb5df202cc716f1113
SHA25621fe20f25d5eee76944ca848a53ecbb308abd3bc16341186b70aebff4a3abf8d
SHA512e0c90411c1b7d3557cc3b5a7944bbfa714e4b6ea038c90ceac355b7c902275116cbbaf45b23d15f18f8cb7446dba2ef4ff2adeb8722ea7504fd27814ecb666e1
-
Filesize
1KB
MD589e9a8cc1338d6e7d8771abecfbdfb16
SHA1e6cd43d6c7e623acd7654f418e3087f79d480c16
SHA256745173d68ec6fddaeb0ade65df302928a7e3b2cf38b6b9756e5a530e6d54dec6
SHA5124a38ee9760899ce44ab5e37277344de8e4410d5d61918a2bb2d2398d7f879c46444c8d2bbd54657bb4e212a9abbfad646227a5ecdb6ac0eaa54cf3d3679a124c
-
Filesize
1KB
MD5b8f2232242bf0a2b338089ed5c5d69a2
SHA1466c20275edd8d87e186a36c3b0058c44734e5aa
SHA256d5bddb093a522df455459c62b7085845acf8d5281f198a14dc40f47627876a86
SHA51225a683f87556be334f72c05caced4f144fa4c285ad47ec12fa7889e2f2871dd438b83714f2657abca1cd226224a506c1b272ec356c7181fe807be98a48842842
-
Filesize
1KB
MD5e508a8eaa1ce1f9200801324db2ec833
SHA1af332bee6b67209f1a72312b1fe5af70c5175d43
SHA256311cbaf8e180343037460ee1778e045c177a1c674cb1464c75f111efd2a69ab4
SHA5123e6fa7c42d9b07dc9623d909c154d65881889a96787dd9dedd15563f527d670067c7b418dbad96c745689f1d267f89560b712272e685e9309fafc748c03a2ef4
-
Filesize
1KB
MD5e6a4acd736b13bf580ffab9ae0e3f15a
SHA14a1d9f8fbf09af26290109a00f83af9d5c221bb2
SHA256f36c72635554dcd3932099c67f7552a6f6f1519e04ada1b91a07b01ffe46d096
SHA5124a1f0a74bb1a5e928543fda3b9a411468176625bde5d160842c6a8b823b84e5e42ccc1ca40904fa7b6964fd4a9affc057392635bd7e0a46a216b46bf8f00544b
-
Filesize
1KB
MD5644e08658a5d67b2b9351d11d4e3f4bb
SHA191588146d7103c1bbef7a12d57b6dc46fe269199
SHA25617418135368281821eecff8dee7ce515e4b602689568e69d096686b73bf0c195
SHA512cbee449b064d42a86dc29de21c3dfd3128b1a09268552453c8ae7743c9c873082b99b4fe2bbf52877797ac657e19754aceb7749a6822536b00e4e5ef95cb8a69
-
Filesize
1KB
MD5029a60e6416e1e6f3399663e5d268f95
SHA18072ae1e2a866800cdaac5e4b91e13cdf4677b90
SHA25684cf84c4b95a8970c356ab5bdad884db2edb9216299865e8b3fadfa31c05f816
SHA512262d3830356f0b456e52adb21f38d22405246d4f8cc245d7548401bc2a61700b0a764dc5683aac8039760903350bc1fd67cdee3daf878cb80d727ad399fa3cfd
-
Filesize
1KB
MD58f3c9e0fa93dce268186e8821e760f89
SHA1d97a5ef2be24659ac1b9c3ea4867e21e71ee4ae8
SHA25610e6a84dc575422ee0ff33ee213cffc0ebb36ffe6bf47bceeb500a4dc767d006
SHA5123f2736b1102215806d1f4ad94d9c7ce55658e3c4f9e7a4dc4debe44684f772ad8549b28443794cadc28a05ac1f8b29cdaa1ba2d90867ecef9429851f6f884a02
-
Filesize
1KB
MD5034860fd74a0c54e2272b15dbace692a
SHA11ca8b0d3cdbf6029d4fda9398f41bee9e71a5077
SHA25668f5b8b27d89f61ea99155c58cd797e30b4f67efee537824bb8c00ab809dbe9a
SHA51239ce71c9367d5bbc1e06bbb5ac3850f2d6f8f15b1f4f70154c0b5c3e285c60829a608643cc5b446437137dc80087c882bfaf44954a84c106c7f47ca5a8d06029
-
Filesize
1KB
MD5f195e69074de65207c3f52d781e5b163
SHA186995c3e84a4dabec34467ef7e91e0fac643d0cf
SHA2564bd0f974a3c514069041b50aa3e79c6b8d2b53a1ac66bc0916699a271028396f
SHA5127915bc3588fadc73df3a90a3f640bf2027afc3bfb017a8cfdc2e215d9e0023b7685caea63a3abb96275e21cf288a1d6f1f6ea17ec5ab493fbd212147abff8ec4
-
Filesize
1KB
MD55e320f3f587d9ba1c185770dcd3ffca2
SHA105326c4c222dfeaa3abaf011c880d2e39f68028f
SHA256a55655e8212db65515163a95e3d79861db8208b35cb2f41a89891f1b57b3994d
SHA5123045eb700bb10229d6d6fe766058e5fa17d0a03a979ca63725067bd48e86d0a0e7c1174816b9706439faff4121c08e7c3538d56bf4edfa6d5a729b60045bdb50
-
Filesize
918KB
MD557a9a702d5f51b625a869cb6ac0ede0f
SHA1e5db4003f5a82ea666bbd70083edcb9ca38446b4
SHA256b19a6d57b76593369e7e06cbcc5bcfd03e18adaa3934fd59c8705213fb5779ee
SHA512818420f8196f964a2998b1176e87399f3d473237112b877c4e5662b3f601f8492fec3ec2ecd39822bfa12134cc2dd85ddc9e1409ea15ae6b58d8021c69840a85
-
Filesize
187KB
MD535a07968ec37231249f3f072ae555e3a
SHA1a6b5be5daff384d24e68c7d3d540e9edd1e95ce8
SHA256e5f25e5a170cb3d165c3d143eae967b96ab80f88fb09176da8591b0b68c77e00
SHA5124806377c40eb0604410bf4760a3bf3ed99a1506af023977f6ad04090d790818034f8ffaeb6f51cf3a16a2109e0f567ddf5d182a50468481a2ed9adb2fe899261
-
Filesize
143KB
MD597cb1e2fcab378421c4b91df0c9f8310
SHA11227ce5f3a75bbbcba54708fcf73a131b0887a29
SHA256e36bcf02bc11f560761e943d0fad37417078f6cbb473f85c72fcbc89e2600c58
SHA5121b4668daacbebbe79bedc508f81f0e5ff0545c5823f05c7a403f4e8eb58bbf866f975b8e41a9148f6455243fe180c1afa32cd6b337f7d73ba0cbdf00f7e32de6
-
Filesize
256KB
MD5ab0dbc4f05b33eaaa447e31accab8d21
SHA17064962fbc7e1fdf0cbb13a44e587e28168cd299
SHA2566a3c3f07bddbc3079873f8799f2c19adddc59f15d6b2dba6e9314e5626bfd2a0
SHA512a4fea2a0d5a9da86cc1f3868882a4ac661581a77f57251ea073259e0421d6f047b9da7b19e3916a970d7ecda652b4d51d0e64c7ef5d59338eb209b580be85b24
-
Filesize
78KB
MD51176e91f4f663b03515b4d944dcdd72b
SHA1fa341a412720fd79fe1e1f6e11d850a4e103871d
SHA256a4ae8aac8660aaa255cc8318c7971273201e62954d6d36ac5d7ec738fb218258
SHA512c31f3bbff71ebc3f29813cf55754593262884fc71327db58622da62daa92062b1e8e2f6877a71ca832f40e7127c478d931661527485e801b74dcfdfaf6670874
-
Filesize
150KB
MD5684fca651758ba405144d5fcab6ab7fe
SHA1da595c60fbc4336fd2c61b45384dc0dbc3bf599a
SHA256ae9b66a6e0b1949890241c67037cef2c59d4f4faef84849789e0fee9184f41c6
SHA5124f8a9c524dd4e0f2a2f6f67a1ce42a7e9590fc5715f9538d8e0c7ff0c67d4bcbe10318bebd6328ee29c6c3b9842d0e176da7e663a88d9ecdec8c6404571c3756
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.2MB
MD52372b3876512a6241f0054682d769284
SHA14fb8056e1b4f76b0379bd4488fe1134fe11209d4
SHA25662919125c168da719e30cf593f152a1b57344041bd4982a917de50c1c34d08c2
SHA512d30c7ee7c4191d71947d7ec0aef881ad20bdea2020c6fe4abb0717e6e0fe0f1866c7c0f97aff63b5f28ce68544c0ce349067a54c66bcd26e2a4db4b119ae9960
-
Filesize
2.2MB
MD5245056e4b6971c2574207556db6c6f3b
SHA1505366c82e24c96f0344a43e2cfda6e3abe92326
SHA2565e2ef46a2d3badf7256c5dbaab2f4a03186d07747977a8f22bf0ab7a75b511e4
SHA512afb8814b3e9ae00e572cc338706280d87b82c0da4b827844710f2ddec19e8cf2fb2749de84177d5eecff3f52ec7bc96223a2ddf25a625c4dda532e90a9279edf
-
Filesize
9KB
MD55692367ef4fc253ca2330cfd8a35222a
SHA14a09af988cb2ff9f6f4adff5b97f87201017c337
SHA256767646978081ad882bc3956db928e981710b787e2f802be36a72039bbcdecfa8
SHA512d4fd0d858659a1650bb53365367e823ab4b5952116527d4d0bde8ed7a572c59352fa1ec4075a5d56f6e476f59987cfe78da3b735f1f4b3e08a7f65425a5b0a69
-
Filesize
9KB
MD5ef82b304067edcf3cf990a42de93b695
SHA1a2a2af4015e81562bab4454232bbcb69708f5cd9
SHA25663a505045b1d4549428a469bf00b0f83aaf58cfd9eb2c32b24f17336e323ab31
SHA5128f5e17ed20bd033370220c7dc9f1373cd9aa79d3fe3b73cef1dbf0134f8705997f1287427c03d87e16a5932855a553501988b3c43b4ca2329d4d8f153dbe5d41
-
Filesize
14KB
MD52180d4e6b330ff0616bea1b5b29c7115
SHA1bc147bc57d10cb76a0858b0b2f7dcea8fa5dcbf8
SHA256b406d4b525fb86336bf40cb0d40ee45411c2afb8ef539b1f3b5a149e44c14a43
SHA5129fe5155dc51b26f51534469ec9643753a50f38c7b078791478495abc9ba4a3ec9c962b737da63b4d16b4461b49df0e29c09187abf45d85a31cb391b9e130ad26