Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 12:02

General

  • Target

    https://github.com/ancel1x/Ancels-Performance-Batch

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Indicator Removal: Clear Persistence 1 TTPs 46 IoCs

    remove IFEO.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Modifies Security services 2 TTPs 2 IoCs

    Modifies the startup behavior of a security service.

  • Power Settings 1 TTPs 1 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Delays execution with timeout.exe 54 IoCs
  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ancel1x/Ancels-Performance-Batch
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff571f46f8,0x7fff571f4708,0x7fff571f4718
      2⤵
        PID:2208
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        2⤵
          PID:4808
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1472
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
          2⤵
            PID:3756
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
            2⤵
              PID:3744
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
              2⤵
                PID:640
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
                2⤵
                  PID:1428
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1436
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5236 /prefetch:8
                  2⤵
                    PID:1232
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
                    2⤵
                      PID:4564
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
                      2⤵
                        PID:3304
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
                        2⤵
                          PID:2364
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
                          2⤵
                            PID:112
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
                            2⤵
                              PID:2652
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,14348028062421536454,4892777636931418873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5192
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2760
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1604
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5312
                                • C:\Windows\System32\NOTEPAD.EXE
                                  "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\AncelsPerformanceBatch.bat
                                  1⤵
                                  • Opens file in notepad (likely ransom note)
                                  PID:5840
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\AncelsPerformanceBatch.bat"
                                  1⤵
                                    PID:5884
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell "Set-ExecutionPolicy Unrestricted"
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5936
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
                                      2⤵
                                        PID:6064
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
                                        2⤵
                                        • UAC bypass
                                        PID:6088
                                      • C:\Windows\system32\timeout.exe
                                        timeout /t 3 /nobreak
                                        2⤵
                                        • Delays execution with timeout.exe
                                        PID:6108
                                      • C:\Windows\system32\cacls.exe
                                        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
                                        2⤵
                                          PID:3304
                                        • C:\Windows\system32\chcp.com
                                          chcp 65001
                                          2⤵
                                            PID:3392
                                          • C:\Windows\system32\bcdedit.exe
                                            bcdedit /set useplatformclock No
                                            2⤵
                                            • Modifies boot configuration data using bcdedit
                                            PID:3212
                                          • C:\Windows\system32\bcdedit.exe
                                            bcdedit /seplatformtick No
                                            2⤵
                                            • Modifies boot configuration data using bcdedit
                                            PID:2992
                                          • C:\Windows\system32\bcdedit.exe
                                            bcdedit /set disabledynamictick Yes
                                            2⤵
                                            • Modifies boot configuration data using bcdedit
                                            PID:5200
                                          • C:\Windows\system32\timeout.exe
                                            timeout /t 1 /nobreak
                                            2⤵
                                            • Delays execution with timeout.exe
                                            PID:5272
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell "ForEach($v in (Get-Command -Name \"Set-ProcessMitigation\").Parameters[\"Disable\"].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"
                                            2⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Hide Artifacts: Ignore Process Interrupts
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5256
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell "Remove-Item -Path \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\" -Recurse -ErrorAction SilentlyContinue"
                                            2⤵
                                            • Event Triggered Execution: Image File Execution Options Injection
                                            • Indicator Removal: Clear Persistence
                                            • Hide Artifacts: Ignore Process Interrupts
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5136
                                          • C:\Windows\system32\reg.exe
                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f
                                            2⤵
                                              PID:4944
                                            • C:\Windows\system32\reg.exe
                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
                                              2⤵
                                                PID:4600
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f
                                                2⤵
                                                  PID:5420
                                                • C:\Windows\system32\reg.exe
                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
                                                  2⤵
                                                    PID:5396
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
                                                    2⤵
                                                      PID:5440
                                                    • C:\Windows\system32\reg.exe
                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f
                                                      2⤵
                                                        PID:5416
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
                                                        2⤵
                                                          PID:5476
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
                                                          2⤵
                                                            PID:5496
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
                                                            2⤵
                                                              PID:5532
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
                                                              2⤵
                                                                PID:3548
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationOptions" /t REG_BINARY /d "222222222222222222222222222222222222222222222222" /f
                                                                2⤵
                                                                  PID:4476
                                                                • C:\Windows\system32\timeout.exe
                                                                  timeout /t 1 /nobreak
                                                                  2⤵
                                                                  • Delays execution with timeout.exe
                                                                  PID:5552
                                                                • C:\Windows\system32\fsutil.exe
                                                                  fsutil behavior set memoryusage 2
                                                                  2⤵
                                                                    PID:5572
                                                                  • C:\Windows\system32\fsutil.exe
                                                                    fsutil behavior set mftzone 4
                                                                    2⤵
                                                                      PID:5588
                                                                    • C:\Windows\system32\fsutil.exe
                                                                      fsutil behavior set disablelastaccess 1
                                                                      2⤵
                                                                        PID:5608
                                                                      • C:\Windows\system32\fsutil.exe
                                                                        fsutil behavior set disabledeletenotify 0
                                                                        2⤵
                                                                          PID:5536
                                                                        • C:\Windows\system32\fsutil.exe
                                                                          fsutil behavior set encryptpagingfile 0
                                                                          2⤵
                                                                            PID:5632
                                                                          • C:\Windows\system32\timeout.exe
                                                                            timeout /t 1 /nobreak
                                                                            2⤵
                                                                            • Delays execution with timeout.exe
                                                                            PID:5688
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            PowerShell -Command "Disable-MMAgent -MemoryCompression"
                                                                            2⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5672
                                                                          • C:\Windows\system32\timeout.exe
                                                                            timeout /t 1 /nobreak
                                                                            2⤵
                                                                            • Delays execution with timeout.exe
                                                                            PID:2788
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            PowerShell -Command "Disable-MMAgent -PageCombining"
                                                                            2⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1064
                                                                          • C:\Windows\system32\timeout.exe
                                                                            timeout /t 1 /nobreak
                                                                            2⤵
                                                                            • Delays execution with timeout.exe
                                                                            PID:5796
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
                                                                            2⤵
                                                                              PID:2752
                                                                            • C:\Windows\system32\timeout.exe
                                                                              timeout /t 1 /nobreak
                                                                              2⤵
                                                                              • Delays execution with timeout.exe
                                                                              PID:4788
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f
                                                                              2⤵
                                                                                PID:5108
                                                                              • C:\Windows\system32\timeout.exe
                                                                                timeout /t 1 /nobreak
                                                                                2⤵
                                                                                • Delays execution with timeout.exe
                                                                                PID:1228
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
                                                                                2⤵
                                                                                  PID:4920
                                                                                • C:\Windows\system32\timeout.exe
                                                                                  timeout /t 1 /nobreak
                                                                                  2⤵
                                                                                  • Delays execution with timeout.exe
                                                                                  PID:4932
                                                                                • C:\Windows\system32\powercfg.exe
                                                                                  powercfg /h off
                                                                                  2⤵
                                                                                  • Power Settings
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:5184
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
                                                                                  2⤵
                                                                                    PID:2360
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "SleepReliabilityDetailedDiagnostics" /t REG_DWORD /d "0" /f
                                                                                    2⤵
                                                                                      PID:1492
                                                                                    • C:\Windows\system32\timeout.exe
                                                                                      timeout /t 1 /nobreak
                                                                                      2⤵
                                                                                      • Delays execution with timeout.exe
                                                                                      PID:3164
                                                                                    • C:\Windows\system32\reg.exe
                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f
                                                                                      2⤵
                                                                                        PID:5288
                                                                                      • C:\Windows\system32\timeout.exe
                                                                                        timeout /t 1 /nobreak
                                                                                        2⤵
                                                                                        • Delays execution with timeout.exe
                                                                                        PID:4840
                                                                                      • C:\Windows\system32\reg.exe
                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v "DEPOff" /t REG_DWORD /d "1" /f
                                                                                        2⤵
                                                                                          PID:212
                                                                                        • C:\Windows\system32\timeout.exe
                                                                                          timeout /t 1 /nobreak
                                                                                          2⤵
                                                                                          • Delays execution with timeout.exe
                                                                                          PID:5040
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
                                                                                          2⤵
                                                                                            PID:1828
                                                                                          • C:\Windows\system32\timeout.exe
                                                                                            timeout /t 1 /nobreak
                                                                                            2⤵
                                                                                            • Delays execution with timeout.exe
                                                                                            PID:468
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
                                                                                            2⤵
                                                                                              PID:1008
                                                                                            • C:\Windows\system32\timeout.exe
                                                                                              timeout /t 1 /nobreak
                                                                                              2⤵
                                                                                              • Delays execution with timeout.exe
                                                                                              PID:3620
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f
                                                                                              2⤵
                                                                                                PID:4200
                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                timeout /t 1 /nobreak
                                                                                                2⤵
                                                                                                • Delays execution with timeout.exe
                                                                                                PID:4972
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                2⤵
                                                                                                  PID:4808
                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                  timeout /t 1 /nobreak
                                                                                                  2⤵
                                                                                                  • Delays execution with timeout.exe
                                                                                                  PID:2488
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "MoveImages" /t REG_DWORD /d "0" /f
                                                                                                  2⤵
                                                                                                    PID:2932
                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                    timeout /t 1 /nobreak
                                                                                                    2⤵
                                                                                                    • Delays execution with timeout.exe
                                                                                                    PID:1436
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
                                                                                                    2⤵
                                                                                                      PID:4172
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
                                                                                                      2⤵
                                                                                                        PID:3052
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
                                                                                                        2⤵
                                                                                                          PID:1472
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
                                                                                                          2⤵
                                                                                                            PID:5820
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
                                                                                                            2⤵
                                                                                                              PID:5068
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
                                                                                                              2⤵
                                                                                                                PID:5860
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
                                                                                                                2⤵
                                                                                                                  PID:5900
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "PlatformAoAcOverride" /t REG_DWORD /d "0" /f
                                                                                                                  2⤵
                                                                                                                    PID:6004
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f
                                                                                                                    2⤵
                                                                                                                      PID:6008
                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
                                                                                                                      2⤵
                                                                                                                        PID:5968
                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CsEnabled" /t REG_DWORD /d "0" /f
                                                                                                                        2⤵
                                                                                                                          PID:5940
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
                                                                                                                          2⤵
                                                                                                                            PID:6036
                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                            timeout /t 1 /nobreak
                                                                                                                            2⤵
                                                                                                                            • Delays execution with timeout.exe
                                                                                                                            PID:6056
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d "2" /f
                                                                                                                            2⤵
                                                                                                                              PID:6068
                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                              timeout /t 1 /nobreak
                                                                                                                              2⤵
                                                                                                                              • Delays execution with timeout.exe
                                                                                                                              PID:6092
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
                                                                                                                              2⤵
                                                                                                                                PID:6104
                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                timeout /t 1 /nobreak
                                                                                                                                2⤵
                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                PID:3972
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
                                                                                                                                2⤵
                                                                                                                                  PID:2796
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
                                                                                                                                  2⤵
                                                                                                                                    PID:2884
                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                    timeout /t 1 /nobreak
                                                                                                                                    2⤵
                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                    PID:6136
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                    2⤵
                                                                                                                                      PID:5164
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Gaming.GameBar.PresenceServer.Internal.PresenceWriter" /v "ActivationType" /t REG_DWORD /d "0" /f
                                                                                                                                      2⤵
                                                                                                                                        PID:6116
                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                        timeout /t 1 /nobreak
                                                                                                                                        2⤵
                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                        PID:4252
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_DWORD /d "0" /f
                                                                                                                                        2⤵
                                                                                                                                          PID:3392
                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                          timeout /t 1 /nobreak
                                                                                                                                          2⤵
                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                          PID:4688
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                          2⤵
                                                                                                                                            PID:4380
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                            2⤵
                                                                                                                                              PID:2484
                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                              timeout /t 1 /nobreak
                                                                                                                                              2⤵
                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                              PID:2988
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "DisableTaggedEnergyLogging" /t REG_DWORD /d "1" /f
                                                                                                                                              2⤵
                                                                                                                                                PID:4008
                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxApplication" /t REG_DWORD /d "0" /f
                                                                                                                                                2⤵
                                                                                                                                                  PID:5208
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxTagPerApplication" /t REG_DWORD /d "0" /f
                                                                                                                                                  2⤵
                                                                                                                                                    PID:5316
                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                    timeout /t 1 /nobreak
                                                                                                                                                    2⤵
                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                    PID:3480
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
                                                                                                                                                    2⤵
                                                                                                                                                      PID:5252
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f
                                                                                                                                                      2⤵
                                                                                                                                                        PID:760
                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                        timeout /t 1 /nobreak
                                                                                                                                                        2⤵
                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                        PID:4244
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f
                                                                                                                                                        2⤵
                                                                                                                                                          PID:5256
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "AlwaysOn" /t REG_DWORD /d "1" /f
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1652
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
                                                                                                                                                            2⤵
                                                                                                                                                              PID:4284
                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                              reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f
                                                                                                                                                              2⤵
                                                                                                                                                                PID:232
                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:5160
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:5364
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:552
                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                      timeout /t 1 /nobreak
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                      PID:4944
                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "1" /f
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:3280
                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "IoPriority" /t REG_DWORD /d "3" /f
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:5388
                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                          timeout /t 1 /nobreak
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                          PID:5432
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                          PID:5452
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                          PID:5412
                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                          timeout /t 1 /nobreak
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                          PID:5488
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:5492
                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                            timeout /t 1 /nobreak
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                            PID:5520
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d "0" /f
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:5528
                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                              timeout /t 1 /nobreak
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                              PID:5564
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:5548
                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                timeout /t 1 /nobreak
                                                                                                                                                                                2⤵
                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                PID:5580
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:5600
                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                  timeout /t 1 /nobreak
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                  PID:5572
                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:3744
                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:5100
                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                      timeout /t 1 /nobreak
                                                                                                                                                                                      2⤵
                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                      PID:1764
                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowFrequent" /t REG_DWORD /d "0" /f
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:1936
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /t REG_DWORD /d "0" /f
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:1748
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "TelemetrySalt" /t REG_DWORD /d "0" /f
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:5664
                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d "1" /f
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:5708
                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                              timeout /t 1 /nobreak
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                              PID:3556
                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:5700
                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                timeout /t 1 /nobreak
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                PID:2088
                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:5744
                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                  timeout /t 1 /nobreak
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                  PID:5752
                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:5740
                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                    timeout /t 1 /nobreak
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                    PID:2628
                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:5748
                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                      timeout /t 1 /nobreak
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                      PID:5784
                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:5772
                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:1064
                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:3472
                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:4220
                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewymicrosoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:1608
                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:4956
                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:5384
                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:4092
                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:3704
                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:2632
                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                          timeout /t 1 /nobreak
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                          PID:3572
                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:2736
                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:4272
                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:1228
                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:4624
                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:3660
                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\cellularData" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:4836
                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\cellularData\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Allow" /f
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:1224
                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:3856
                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:3164
                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:5116
                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:4840
                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\gazeInput" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:212
                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:5180
                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Prompt" /f
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:1736
                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Allow" /f
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:468
                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Prompt" /f
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:3528
                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:3056
                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:1644
                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:2816
                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:4928
                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:3288
                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation\Microsoft.AccountsControl_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Prompt" /f
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:4516
                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:2092
                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:4172
                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /t REG_SZ /d "Deny" /f
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:3052
                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Allow" /f
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:1472
                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Allow" /f
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:5820
                                                                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                PID:5068
                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:5840
                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:5992
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:6016
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:6032
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:6052
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:5984
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                            timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                            PID:5980
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:5936
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:6080
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:6100
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-280815Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:4892
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:2996
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:3664
                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:2796
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:2884
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:1428
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-202914Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:6124
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:392
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                    PID:896
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:1704
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                      timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                      PID:908
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Discord" /t REG_BINARY /d "0300000066AF9C7C5A46D901" /f
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:2464
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Synapse3" /t REG_BINARY /d "030000007DC437B0EA9FD901" /f
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:3956
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Spotify" /t REG_BINARY /d "0300000070E93D7B5A46D901" /f
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:3212
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "EpicGamesLauncher" /t REG_BINARY /d "03000000F51C70A77A48D901" /f
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:5228
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "RiotClient" /t REG_BINARY /d "03000000A0EA598A88B2D901" /f
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:5176
                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Steam" /t REG_BINARY /d "03000000E7766B83316FD901" /f
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                  PID:3132
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                  timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                  PID:4620
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:2896
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:2300
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:5204
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                          PID:5328
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                            PID:5316
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                              PID:64
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                PID:5276
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                  PID:5300
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2832
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5256
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                      timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                      PID:1652
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:5368
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DoReport" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                          PID:5148
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:4780
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:1700
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5140
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                PID:4208
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System" /v "PassiveIntRealTimeWorkerPriority" /t REG_DWORD /d "18" /f
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:5380
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\KernelVelocity" /v "DisableFGBoostDecay" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:5428
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                    • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                    PID:3668
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                    • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                    PID:5436
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                    • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                    PID:5440
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                    • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                    PID:5416
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:4728
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                      • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                      PID:4860
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:2292
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                        PID:5480
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                        PID:5512
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                        PID:4124
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                        PID:5516
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                        PID:2684
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                        PID:4336
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                        PID:3036
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\audiodg.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "2" /f
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:2772
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\audiodg.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "2" /f
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                          PID:5568
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:3400
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                            • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                            PID:3128
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:5600
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3468
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                PID:4456
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                PID:2880
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                PID:5612
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                PID:5620
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                PID:3364
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                PID:4316
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                PID:968
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                PID:2220
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:1408
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                  PID:5692
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                  timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                  PID:2032
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1220
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:2524
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:2088
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5728
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:5716
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:1272
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t REG_SZ /d "6" /f
                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:5756
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t REG_SZ /d "6" /f
                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:5720
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t REG_SZ /d "6" /f
                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:5768
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t REG_SZ /d "6" /f
                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5672
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:1776
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2600
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Security services
                                                                                                                                                                                                                                                                                                                                                                                                          PID:400
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies security service
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4472
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Security services
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5384
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies security service
                                                                                                                                                                                                                                                                                                                                                                                                          PID:1232
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3636
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:636
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2556
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2736
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4272
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                                                                                                                                                                                                                                                                PID:1228
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4624
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3660
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4836
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3092
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotificationOnLockScreen" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1928
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5288
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEngCP.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Image File Execution Options Injection
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4292
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4864
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5040
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2596
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2276
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKCU\SYSTEM\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1008
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKCU\SYSTEM\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2564
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKCU\SYSTEM\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3528
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKCU\SYSTEM\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4340
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKCU\SYSTEM\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5836
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4296
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3288
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4516
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4172
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3052
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1472
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5820
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5068
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5840
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5992
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6016
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6032
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "Latency" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\CPU\HardCap0" /v "CapPercentage" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\CPU\HardCap0" /v "SchedulingType" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\CPU\Paused" /v "CapPercentage" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\CPU\Paused" /v "SchedulingType" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\CPU\SoftCapFull" /v "CapPercentage" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\CPU\SoftCapFull" /v "SchedulingType" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\CPU\SoftCapLow" /v "CapPercentage" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\CPU\SoftCapLow" /v "SchedulingType" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\BackgroundDefault" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\Frozen" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\FrozenDNCS" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\FrozenDNK" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\FrozenPPLE" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\Paused" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\PausedDNK" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\Pausing" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\PrelaunchForeground" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Flags\ThrottleGPUInterference" /v "IsLowPriority" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\Critical" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\Critical" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\CriticalNoUi" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\CriticalNoUi" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\EmptyHostPPLE" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\EmptyHostPPLE" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\High" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\High" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\Low" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\Low" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\Lowest" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\Lowest" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\Medium" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4336
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\Medium" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\MediumHigh" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\MediumHigh" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\StartHost" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\StartHost" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\VeryHigh" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\VeryHigh" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\VeryLow" /v "BasePriority" /t REG_DWORD /d "82" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Importance\VeryLow" /v "OverTargetPriority" /t REG_DWORD /d "50" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\IO\NoCap" /v "IOBandwidth" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Memory\NoCap" /v "CommitLimit" /t REG_DWORD /d "4294967295" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies\Memory\NoCap" /v "CommitTarget" /t REG_DWORD /d "4294967295" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    timeout /t 1 /nobreak
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID| findstr /L "PCI\VEN_"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        wmic path Win32_VideoController get PNPDeviceID
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        findstr /L "PCI\VEN_"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\ControlSet001\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08" /v "Driver"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg query "HKLM\SYSTEM\ControlSet001\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08" /v "Driver"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c echo {4d36e968-e325-11ce-bfc1-08002be10318}\0000 | findstr "{"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo {4d36e968-e325-11ce-bfc1-08002be10318}\0000 "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  findstr "{"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    timeout /t 3 /nobreak
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "512" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      timeout /t 5 /nobreak
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      timeout /t 3 /nobreak
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5772

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d136d3411d4aa688242c53cafb993aa6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1a81cc78e3ca445d5a5193e49ddce26d5e25179f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    152B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6960857d16aadfa79d36df8ebbf0e423

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e1db43bd478274366621a8c6497e270d46c6ed4f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    152B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f426165d1e5f7df1b7a3758c306cd4ae

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    59ef728fbbb5c4197600f61daec48556fec651c1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0e4f225b0e7c9fa121e11fe5eed5719e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c188cb65a2b169814781a51a03f5ed7521059174

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4a142170781831ea55b3f8c42fae7db07af6cb5a5f06825a9bc5f359212d8845

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6977b7d9220b2fabd144d5fc0e39aaaec934e09e76e8675c846099a22e0970b625a2bc00ec4b2f62d494a08c0c9ee2a55b2f3776e22860b371b5717855c8fa74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    579B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ed5f4213c17629776cd75510648fc019

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    393fa0eb9802933b868501db73682fc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7eff816b632c61a389571cccde1180f7ac6c9960

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f5a6e1eadd7f29a6d270bbcaab1bb90932b2eded2d153d38c285e2956a4ffef1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cf75ffd0144dc76d0f91b6b906d51b9b282dc9011da356e1d6c02472e3f951bb281537da1d388c93cf1a75c92840cec6a72e6815574227a8b63dd3e870f36069

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0cb6f3c040da3014d82e8654b92841a9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c04da46859753a39a3505bf1a72438f9bd33f308

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    317b91b037504f03e813fe2ac95df877726c93f172acaa13e68648d5f5c38aad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9f4ad2ad3ee9b9d9de9cd150a7926d673f53483d884fcdeb5e8b7c9757cab09692975886f1adcf631c4a552512fadf805d1a08f0efc76c8b439131b07be758f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b9cb1c3dfcb6ef9b11205a6fddf92df8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    54d03cf8d8e2d7cc06dcd8477dcd1653a1fb38d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4e30bc72397c94739596840fcfdb3b7ec3d0cd2a0f0ad3e52233cc2eeecb81d1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    435d6a06cd8e09818dfba8b84ea3a2497cfd0145478c9baa421c4c4039e805043c17b76646a9323009695f7a1807673c8238a9ac2b61f81bf61a6e2399dc48b3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    20a38f615adbedeef4aae82d2751b1f6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cc5b39b69c5bd7e82b98451b16d219ee42ca1195

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    fa6a29fa2a77bfd94f032a895c9bfcb6460e379c5665d67af601071938b6ca6f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9b413791708a4368de14de738b48190e059f38a453c48f530dfe5d7c3dd29d2cea307c51159e7d91646972f0439fbd14a213f073a48d7da844d3de5c88a6b103

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c93d4081fea418dd2f4241924b3b7bd9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1a99b3973fa380906d6ca7ed6489dec38555db4e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    431731162a42cd7ad4e89293dec3faa43edcb4a67cf37537d039718000ca7aa0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    df56145ad77615d732373a3749f4b1ab71c392642447e2a489110719576c1db54a673b5963505ccaf9217997e7576743a65c531549ff84829895e8d2b8e5fcd8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1a11402783a8686e08f8fa987dd07bca

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    580df3865059f4e2d8be10644590317336d146ce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7384b6ae47e4ca2a582c03c7d6958c2e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3d9e6cfe9a7075d6b477b15ada1c948096deb7d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bdd6d96166d00cf038f776c43446a3750c82db810239873df96e00e4a581a1ec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ae0e79aa60a5c1aa743ec23cd8912daeec739bd3c2eff6427f9298dac692d60025e177b4655eea359d1b0f054e02005df7c8b5bb777b9ba6f474f38fbf4272ca

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    93d770c3682118712d8c293263ad211d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    23e67c9e26e29c0d0c5b962c09183e69120b5230

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    54cd6322303f2a38b1e9d1e09205cfb8e12ac71d6423c90da33d41528d0c55ab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d8d5719ee319e42bbcd2fcbcb4a8539bae641874592ad8adf906c0ec568183b58d9a0e97fd2b0b97e8f7ea2ce6bb166b3a53c7ca1d480266f4aabef1ce31b1d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    561ad4794e22ab68a6811d88e43d6c06

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3dcd045d3e0fb917c67ec36cfe102e50a9b3c41c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    00273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jratjbut.e2s.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    60B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\APB_Log.txt

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7497891526756f46a7d5ed0841f37115

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6c649f3671be1fa2f8e2c33a9ba7f704d5c73f60

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4e197eadf7ce63ae9c028ca753b2a2152e5fa0bbe12cc75290d0b4be051dca69

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c34fcd6c7ed946bba7bd7088cebf54bfb79692c08f3239972d071bb6a686a07bc7e97dc0427bae74960486547ce3dc3fa8338b6e1f1e101db42c7c6bf7e4a7fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\Unconfirmed 899640.crdownload

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    165KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    95e5072c5582d546e2bd42eee4642376

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e920b5930456311885ed1506d2b6eee76d745bf1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a1af1cebcb9b024f05690fd07e65a7363e3bc0395cfc788102e9a907e76dda03

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    597caafd90f4ac9177bd9de3fe3523b2a8711596b93d9eb1e0a97efc08dad8033772040c35471b6ebd74d992676da485c7542776c2f062a2bdbad234aea2ee7d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \??\pipe\LOCAL\crashpad_1380_LKXKEJTZJDEMBFXP

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5256-360-0x000002535B680000-0x000002535B69E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5936-340-0x00000262437F0000-0x0000026243812000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    136KB