hxxps://github[.]com/verity0001/NeuronX

Analysis

max time kernel
51s
max time network
276s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/verity0001/NeuronX

Score

10^/10

discovery evasion execution exploit persistence privilege_escalation ransomware

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
3276
5384
4020
3252
1608
2548
3220	wevtutil.exe
5352	wevtutil.exe
5180
5740
1944
1724
668
4936
5836
1732
5884
1028
4852
3104
5332
1432
5048
5652
4544
3052
5316
5680	wevtutil.exe
5552
2860
5408
2056
4016
940
4556
4280
5008
5764
4888
4516
5656
116
4044
2884
4556
5016
5696
1868
1700
5644
4148
3184
4768
3160
4476
2812
5372
5560
4552	wevtutil.exe
5652
2956
1556
4644
5808

Modifies boot configuration data using bcdedit 28 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
4780	bcdedit.exe
1108	bcdedit.exe
1392	bcdedit.exe
428	bcdedit.exe
3768	bcdedit.exe
6016	bcdedit.exe
1864	bcdedit.exe
4052	bcdedit.exe
5128	bcdedit.exe
5976	bcdedit.exe
1628	bcdedit.exe
3240	bcdedit.exe
5640	bcdedit.exe
5528	bcdedit.exe
5028	bcdedit.exe
4924	bcdedit.exe
4588	bcdedit.exe
5560	bcdedit.exe
5112	bcdedit.exe
4088	bcdedit.exe
1744	bcdedit.exe
1600	bcdedit.exe
1248	bcdedit.exe
3716	bcdedit.exe
4472	bcdedit.exe
4160	bcdedit.exe
6056	bcdedit.exe
5916	bcdedit.exe

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1768 netsh.exe
4488 netsh.exe
2724 netsh.exe
5504 netsh.exe
Possible privilege escalation attempt 10 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exe

pid process

3484
5660
4844
5696 icacls.exe
1632 icacls.exe
5436
2576
1616
5684 takeown.exe
3208 takeown.exe

pid	process
1768	netsh.exe
4488	netsh.exe
2724	netsh.exe
5504	netsh.exe

pid	process
3484
5660
4844
5696	icacls.exe
1632	icacls.exe
5436
2576
1616
5684	takeown.exe
3208	takeown.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regedit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regedit.exe

Modifies file permissions 1 TTPs 10 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

5436
2576
5660
1616
5684 takeown.exe
3208 takeown.exe
3484
4844
5696 icacls.exe
1632 icacls.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2860 powershell.exe
5936 powershell.exe
3560 powershell.exe
5860 powershell.exe
312
Power Settings 1 TTPs 31 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

pid process

976
3680
3024
3268
2928
4968
5516
6036
3944
4572
4004
5328
3012
4640
5460
5864
5924
5764
1584
5068
6056
5944
5992
5680
2760
6060
5088
4952
3764
5968
5456

pid	process
5436
2576
5660
1616
5684	takeown.exe
3208	takeown.exe
3484
4844
5696	icacls.exe
1632	icacls.exe

pid	process
2860	powershell.exe
5936	powershell.exe
3560	powershell.exe
5860	powershell.exe
312

pid	process
976
3680
3024
3268
2928
4968
5516
6036
3944
4572
4004
5328
3012
4640
5460
5864
5924
5764
1584
5068
6056
5944
5992
5680
2760
6060
5088
4952
3764
5968
5456

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2056
5160
5848	sc.exe
4280	sc.exe
5448
2480
5648
1456	sc.exe
1204	sc.exe
5836
4764
1032
2724
5452
1652	sc.exe
4516	sc.exe
3600	sc.exe
4468	sc.exe
2108	sc.exe
3772	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

regedit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	regedit.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

pid process

5936
System Time Discovery 1 TTPs 2 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
discovery

System Time Discovery
T1124

Processes:

netsh.exe

pid process

232 netsh.exe
5460

pid	process
5936

pid	process
232	netsh.exe
5460

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regedit.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	regedit.exe

Delays execution with timeout.exe 17 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4304
5172
6020
1852
5916
5196	timeout.exe
6092
3684
3424	timeout.exe
5652	timeout.exe
3560	timeout.exe
5792	timeout.exe
1632	timeout.exe
980
5468
4156
4556	timeout.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeregedit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	regedit.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

3844 ipconfig.exe
3108 ipconfig.exe
3312 ipconfig.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings msedge.exe
Modifies registry key 1 TTPs 22 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1880
972
5376 reg.exe
4084
6056
1464
5180
5928
5760
5996 reg.exe
2188 reg.exe
980
4780
2416
2760
5256
6064 reg.exe
2936 reg.exe
1620 reg.exe
5668
3012
668
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

5480 regedit.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

4572 msedge.exe
4572 msedge.exe
3096 msedge.exe
3096 msedge.exe
2940 identity_helper.exe
2940 identity_helper.exe
1112 msedge.exe
1112 msedge.exe

pid	process
3844	ipconfig.exe
3108	ipconfig.exe
3312	ipconfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

pid	process
1880
972
5376	reg.exe
4084
6056
1464
5180
5928
5760
5996	reg.exe
2188	reg.exe
980
4780
2416
2760
5256
6064	reg.exe
2936	reg.exe
1620	reg.exe
5668
3012
668

pid	process
5480	regedit.exe

pid	process
4572	msedge.exe
4572	msedge.exe
3096	msedge.exe
3096	msedge.exe
2940	identity_helper.exe
2940	identity_helper.exe
1112	msedge.exe
1112	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

msedge.exe

pid	process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3096 wrote to memory of 2200	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 2200	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 5060	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4572	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4572	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4004	3096	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/verity0001/NeuronX
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90bc646f8,0x7ff90bc64708,0x7ff90bc64718
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17828660753189611452,9066388494204883878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:5660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\NeuronX-main\NeuronX-main\download\NeuronF_V1.1.bat" "
1⤵
PID:5860
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5992
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:6012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:6032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:6048
- C:\Windows\system32\reg.exe
  Reg.exe add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:6064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:6080
- C:\Windows\system32\reg.exe
  Reg.exe query "HKU\S-1-5-19\Environment"
  2⤵
  PID:6096
- C:\Windows\system32\reg.exe
  Reg.exe query "HKCU\Software\Neuron" /v "Disclaimer"
  2⤵
  PID:6112
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:6128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Neuron" /v "Disclaimer" /f
  2⤵
  PID:2040
- C:\Windows\system32\reg.exe
  Reg.exe query "HKCU\Software\Neuron" /v "Disclaimer"
  2⤵
  PID:4692
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5452
- C:\Windows\regedit.exe
  Regedit /e "C:\Registrybackup.reg"
  2⤵
  - Checks BIOS information in registry
  - Event Triggered Execution: Netsh Helper DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Runs .reg file with regedit
  PID:5480
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3316

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\NeuronX-main\NeuronX-main\download\NeuronF_V1.1.bat" "
1⤵
PID:4928
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:6096
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:4652
- C:\Windows\system32\reg.exe
  Reg.exe add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:3092
- C:\Windows\system32\reg.exe
  Reg.exe query "HKU\S-1-5-19\Environment"
  2⤵
  PID:2896
- C:\Windows\system32\reg.exe
  Reg.exe query "HKCU\Software\Neuron" /v "Disclaimer"
  2⤵
  PID:4668
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3724
- C:\Windows\system32\bcdedit.exe
  bcdedit /export "C:\BCDEdit_Backup.bcd"
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4780
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3764
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:4084
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:1544
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " P" nul
  2⤵
  PID:3104
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:4452
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:3120
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:6016
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:3924
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1784
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:5968
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5532
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:2012
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "t" nul
  2⤵
  PID:3916
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:5576
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:3568
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:4472
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1528
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:6032
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:5916
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:6076
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:4320
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "r" nul
  2⤵
  PID:1980
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4196
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:2872
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:4700
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:1700
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:2740
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:5696
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5664
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "n" nul
  2⤵
  PID:2908
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "g" nul
  2⤵
  PID:1788
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:5920
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:5772
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5756
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:5252
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:5280
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5304
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5376
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:2388
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:3596
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:4316
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "AlwaysOn" /t REG_DWORD /d "1" /f
  2⤵
  PID:6004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
  2⤵
  PID:3876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f
  2⤵
  PID:828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
  2⤵
  PID:4560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
  2⤵
  PID:2528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
  2⤵
  PID:2212
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5996
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " T" nul
  2⤵
  PID:6000
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:4840
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5984
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5800
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:3124
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:3252
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:1372
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:2320
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:3532
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:312
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4764
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "d" nul
  2⤵
  PID:4980
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " s" nul
  2⤵
  PID:5452
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:984
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:5332
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:6112
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4976
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:5596
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "f" nul
  2⤵
  PID:5436
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:4672
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:720
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1456
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:5848
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3560
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3184
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:528
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " P" nul
  2⤵
  PID:2956
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:4616
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5604
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:2900
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:2412
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:3552
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:2876
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:2704
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:4668
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "t" nul
  2⤵
  PID:4828
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:5016
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:5444
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:3396
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1404
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5132
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:2628
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:428
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:4452
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "r" nul
  2⤵
  PID:5208
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5184
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:5000
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:5536
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:5540
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:5356
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:2012
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:4088
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "n" nul
  2⤵
  PID:5644
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "g" nul
  2⤵
  PID:3524
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:1768
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:4472
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4488
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:6060
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:5940
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4348
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:6072
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:6068
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:1980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f
  2⤵
  PID:3100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /f /v "UserPreferencesMask" /t REG_BINARY /d "9012078012000000"
  2⤵
  PID:4252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "1" /f
  2⤵
  PID:1676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f
  2⤵
  PID:1896
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:3492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "AlwaysHibernateThumbnails" /t REG_DWORD /d "0" /f
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "ListviewShadow" /t REG_DWORD /d "0" /f
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:3204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f
  2⤵
  PID:5796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
  2⤵
  PID:5684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f
  2⤵
  PID:5696
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
  2⤵
  PID:3324
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3220
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " T" nul
  2⤵
  PID:1788
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:5688
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5548
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5376
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:2760
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:2188
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:5360
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:1664
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1532
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:4572
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4900
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "d" nul
  2⤵
  PID:4316
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " s" nul
  2⤵
  PID:4556
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:2084
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:1156
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:1736
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2212
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:1536
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "f" nul
  2⤵
  PID:4872
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:924
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:4768
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:5964
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:5524
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:5792
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:1724
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:1432
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " P" nul
  2⤵
  PID:5160
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1520
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1868
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5544
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:4764
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4980
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:5452
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:2024
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5340
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "t" nul
  2⤵
  PID:4220
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:2812
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:2128
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:544
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:5068
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5116
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:3772
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2356
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:2540
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "r" nul
  2⤵
  PID:4468
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5104
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:3560
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:4392
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:3608
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:6096
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:5172
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:4916
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "n" nul
  2⤵
  PID:5496
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "g" nul
  2⤵
  PID:3092
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:2896
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:2884
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:224
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:4148
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:3720
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:6120
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:4584
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:4552
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:3420
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000067 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1108
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000068 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1392
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000069 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:428
- C:\Windows\system32\bcdedit.exe
  bcdedit /set allowedinmemorysettings 0x0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3768
- C:\Windows\system32\bcdedit.exe
  bcdedit /set firstmegabytepolicy UseAll
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:6016
- C:\Windows\system32\bcdedit.exe
  bcdedit /set configaccesspolicy Default
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1864
- C:\Windows\system32\bcdedit.exe
  bcdedit /set usephysicaldestination No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4052
- C:\Windows\system32\bcdedit.exe
  bcdedit /set usefirmwarepcisettings No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5128
- C:\Windows\system32\bcdedit.exe
  bcdedit /set hypervisorlaunchtype off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5976
- C:\Windows\system32\bcdedit.exe
  bcdedit /set increaseuserva 268435328
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1628
- C:\Windows\system32\bcdedit.exe
  bcdedit /set avoidlowmemory 0x8000000
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3240
- C:\Windows\system32\bcdedit.exe
  bcdedit /set linearaddress57 OptOut
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5640
- C:\Windows\system32\bcdedit.exe
  bcdedit /set tscsyncpolicy Enhanced
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5528
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disableelamdrivers Yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5028
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4924
- C:\Windows\system32\bcdedit.exe
  bcdedit /set uselegacyapicmode No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4588
- C:\Windows\system32\bcdedit.exe
  bcdedit /set x2apicpolicy Enable
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5560
- C:\Windows\system32\bcdedit.exe
  bcdedit /set isolatedcontext No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5112
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vsmlaunchtype Off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4088
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootux disabled
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1744
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1600
- C:\Windows\system32\bcdedit.exe
  bcdedit /set nolowmem Yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1248
- C:\Windows\system32\bcdedit.exe
  bcdedit /set MSI Default
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3716
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vm No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4472
- C:\Windows\system32\bcdedit.exe
  bcdedit /timeout 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4160
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} numproc 2
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:6056
- C:\Windows\system32\bcdedit.exe
  bcdedit /set nx optout
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\IntelPPM" /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4540
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\AmdPPM" /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4348
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
  2⤵
  PID:1376
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "1" /f
  2⤵
  PID:3980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:5124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  PID:2636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:6080
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:3492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:3204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:5936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  PID:5944
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:5664
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:5720
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:1028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:1788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:4404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\audiodg.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "2" /f
  2⤵
  PID:5688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  PID:4776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntoskrnl.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:2332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:2388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\audiodg.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "2" /f
  2⤵
  PID:1588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:4344
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:1292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:1560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:1328
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:2268
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:4988
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  PID:3876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:2084
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:4496
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " T" nul
  2⤵
  PID:1736
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:2212
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1536
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:4872
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:924
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:4768
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:5964
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:5524
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:3564
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:2824
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5580
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "d" nul
  2⤵
  PID:1724
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " s" nul
  2⤵
  PID:4364
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:5768
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:5804
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:232
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4024
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:5504
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "f" nul
  2⤵
  PID:396
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:5732
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:5448
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:5836
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:984
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3424
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5596
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5116
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " P" nul
  2⤵
  PID:3772
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:2356
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2540
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:4468
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:3468
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1388
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:528
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:4616
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5140
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "t" nul
  2⤵
  PID:2672
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:968
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:4640
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5636
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1932
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4772
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:2704
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4780
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:5044
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "r" nul
  2⤵
  PID:2860
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4584
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:4552
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:3420
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:1108
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:5388
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:3768
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:2008
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "n" nul
  2⤵
  PID:3516
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "g" nul
  2⤵
  PID:5992
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:5976
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:1984
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:3456
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:4108
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:5028
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1848
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:2012
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:5112
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:5644
- C:\Windows\system32\chcp.com
  chcp 852
  2⤵
  PID:3548
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="Block Windows Telemetry" dir=in action=block remoteip=134.170.30.202,137.116.81.24,157.56.106.189,184.86.53.99,2.22.61.43,2.22.61.66,204.79.197.200,23.218.212.69,65.39.117.23,65.55.108.23,64.4.54.254 enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:1768
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="Block NVIDIA Telemetry" dir=in action=block remoteip=8.36.80.197,8.36.80.224,8.36.80.252,8.36.113.118,8.36.113.141,8.36.80.230,8.36.80.231,8.36.113.126,8.36.80.195,8.36.80.217,8.36.80.237,8.36.80.246,8.36.113.116,8.36.113.139,8.36.80.244,216.228.121.209 enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:4488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4348
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1376
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f
  2⤵
  PID:3980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:6080
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:3204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:5936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /V AITEnable /T REG_DWORD /d 0 /f
  2⤵
  PID:5944
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
  2⤵
  PID:832
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5784
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3160
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  PID:5852
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
  2⤵
  PID:5760
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:5704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "SettingsVersion" /t REG_DWORD /d "3" /f
  2⤵
  PID:644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4836
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3596
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:6128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1664
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:1532
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:5196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f
  2⤵
  PID:4316
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp" /v "narrator" /t REG_DWORD /d "0" /f
  2⤵
  PID:4004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Narrator\NoRoam" /v "RunningState" /t REG_DWORD /d "0" /f
  2⤵
  PID:5100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableAutocorrection" /t REG_DWORD /d "0" /f
  2⤵
  PID:4560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableSpellchecking" /t REG_DWORD /d "0" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableTextPrediction" /t REG_DWORD /d "0" /f
  2⤵
  PID:2940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnablePredictionSpaceInsertion" /t REG_DWORD /d "0" /f
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableDoubleTapSpace" /t REG_DWORD /d "0" /f
  2⤵
  PID:2212
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableInkingWithTouch" /t REG_DWORD /d "0" /f
  2⤵
  PID:5996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /V "AllowTelemetry" /T REG_DWORD /d 0 /f
  2⤵
  PID:5200
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\TraceManager" /v "MiniTraceSlotEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3816
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:5204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4020
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:760
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:2724
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1372
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4364
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:5808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:5216
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:5160
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f
  2⤵
  PID:3224
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\AITEventLog" /V Start /T REG_DWORD /d 0 /f
  2⤵
  PID:4544
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Autologger-Diagtrack-Listener" /V Start /T REG_DWORD /d 0 /f
  2⤵
  PID:4764
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V Start /T REG_DWORD /d 0 /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V BufferSize /T REG_DWORD /d 0 /f
  2⤵
  PID:5452
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V FileMax /T REG_DWORD /d 0 /f
  2⤵
  PID:5264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V FileName /T REG_SZ /d "C:\\Windows\\System32\\LogFiles\\SQM\\SQMLogger.etl" /f
  2⤵
  PID:4204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V GUID /T REG_SZ /d "{00000000-0000-0000-0000-000000000000}" /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V LogFileMode /T REG_DWORD /d 0 /f
  2⤵
  PID:6112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V MaxFileSize /T REG_DWORD /d 0 /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V MinimumBuffers /T REG_DWORD /d 0 /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V MaximumBuffers /T REG_DWORD /d 0 /f
  2⤵
  PID:2812
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /V Status /T REG_DWORD /d 0 /f
  2⤵
  PID:5068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:4532
- C:\Windows\system32\sc.exe
  sc config "dmwappushservice" start=disabled
  2⤵
  - Launches sc.exe
  PID:1652
- C:\Windows\system32\sc.exe
  sc config "diagnosticshub.standardcollector.service" start=disabled
  2⤵
  - Launches sc.exe
  PID:1456
- C:\Windows\system32\sc.exe
  sc config "diagtrack" start=disabled
  2⤵
  - Launches sc.exe
  PID:3772
- C:\Windows\system32\sc.exe
  sc config "WMPNetworkSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:5848
- C:\Windows\system32\sc.exe
  sc config "RemoteRegistry" start=disabled
  2⤵
  - Launches sc.exe
  PID:4516
- C:\Windows\system32\sc.exe
  sc config "IEEtwCollectorService" start=disabled
  2⤵
  - Launches sc.exe
  PID:3600
- C:\Windows\system32\sc.exe
  sc config "wercplsupport" start=disabled
  2⤵
  - Launches sc.exe
  PID:4468
- C:\Windows\system32\sc.exe
  sc config "NvTelemetryContainer" start=disabled
  2⤵
  - Launches sc.exe
  PID:2108
- C:\Windows\system32\net.exe
  net stop "dmwappushservice"
  2⤵
  PID:4632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "dmwappushservice"
    3⤵
    PID:3184
- C:\Windows\system32\net.exe
  net stop "diagnosticshub.standardcollector.service"
  2⤵
  PID:528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "diagnosticshub.standardcollector.service"
    3⤵
    PID:2204
- C:\Windows\system32\net.exe
  net stop "diagtrack"
  2⤵
  PID:3108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "diagtrack"
    3⤵
    PID:2900
- C:\Windows\system32\net.exe
  net stop "WMPNetworkSvc"
  2⤵
  PID:1512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WMPNetworkSvc"
    3⤵
    PID:968
- C:\Windows\system32\net.exe
  net stop "RemoteRegistry"
  2⤵
  PID:4808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "RemoteRegistry"
    3⤵
    PID:3552
- C:\Windows\system32\net.exe
  net stop "IEEtwCollectorService"
  2⤵
  PID:5496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "IEEtwCollectorService"
    3⤵
    PID:4428
- C:\Windows\system32\net.exe
  net stop "wercplsupport"
  2⤵
  PID:4772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wercplsupport"
    3⤵
    PID:728
- C:\Windows\system32\net.exe
  net stop "NvTelemetryContainer"
  2⤵
  PID:4888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NvTelemetryContainer"
    3⤵
    PID:3452
- C:\Windows\system32\setx.exe
  setx powershell_TELEMETRY_OPTOUT 1
  2⤵
  PID:5444
- C:\Windows\system32\setx.exe
  setx DOTNET_CLI_TELEMETRY_OPTOUT 1
  2⤵
  PID:4424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\AppModel" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Cellcore" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4148
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5948
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\CloudExperienceHostOobe" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5180
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DataMarket" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5208
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "1" /f
  2⤵
  PID:4052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\HolographicDevice" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3924
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\iCLSClient" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4832
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\iCLSProxy" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4352
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\LwtNetLog" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Mellanox-Kernel" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-AssignedAccess-Trace" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4104
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\PEAuthLog" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1848
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\RdrLog" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5260
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\ReadyBoot" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5584
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SetupPlatform" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1744
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SetupPlatformTel" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SocketHeciServer" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4244
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SpoolerLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:6052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\TileStore" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4540
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Tpm" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:6060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\TPMProvisioningService" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:6036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\UBPM" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4320
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WdiContextLog" /v "Start" /t REG_DWORD /d "1" /f
  2⤵
  PID:1768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1376
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSession" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSessionRepro" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WinPhoneCritical" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2872
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f
  2⤵
  PID:1380
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:3480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\Lsa\Credssp" /v "DebugLogLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:1012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableThirdPartySuggestions" /t REG_DWORD /d "1" /f
  2⤵
  PID:1700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f
  2⤵
  PID:5668
- C:\Windows\system32\takeown.exe
  takeown /f C:\Users\Admin\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5684
- C:\Windows\system32\icacls.exe
  icacls C:\Users\Admin\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe /deny *S-1-1-0:F /T
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5696
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System32\CompatTelRunner.exe
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3208
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\System32\CompatTelRunner.exe /deny *S-1-1-0:F /T
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1632
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5652
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3588
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\NeuronX-main\NeuronX-main\download\NeuronF_V1.1.bat" "
1⤵
PID:4820
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:4776
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5376
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:3104
- C:\Windows\system32\reg.exe
  Reg.exe add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:4344
- C:\Windows\system32\reg.exe
  Reg.exe query "HKU\S-1-5-19\Environment"
  2⤵
  PID:1292
- C:\Windows\system32\reg.exe
  Reg.exe query "HKCU\Software\Neuron" /v "Disclaimer"
  2⤵
  PID:1560
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:1328
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:4868
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:6004
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " P" nul
  2⤵
  PID:4988
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:3876
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4560
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:1116
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:5248
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2380
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:5996
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:4796
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5156
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "t" nul
  2⤵
  PID:924
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:4876
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:3156
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5556
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:2724
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5812
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:1432
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:232
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:1608
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "r" nul
  2⤵
  PID:396
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5712
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:2728
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:3940
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:5332
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:2024
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:6112
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:2284
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "n" nul
  2⤵
  PID:544
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "g" nul
  2⤵
  PID:5500
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:4436
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:1652
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4136
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:4676
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:4420
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5364
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:2108
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:1388
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:4616
- C:\Windows\system32\chcp.com
  chcp 852
  2⤵
  PID:4280
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:3844
- C:\Windows\system32\ipconfig.exe
  ipconfig /release
  2⤵
  - Gathers network information
  PID:3108
- C:\Windows\system32\ipconfig.exe
  ipconfig /renew
  2⤵
  - Gathers network information
  PID:3312
- C:\Windows\system32\netsh.exe
  netsh http flush logbuffer
  2⤵
  PID:3828
- C:\Windows\system32\netsh.exe
  netsh int httpstunnel reset all
  2⤵
  PID:3552
- C:\Windows\system32\netsh.exe
  netsh int ip reset all
  2⤵
  PID:4772
- C:\Windows\system32\netsh.exe
  netsh int tcp reset all
  2⤵
  PID:4888
- C:\Windows\system32\netsh.exe
  netsh interface IP delete arpcache
  2⤵
  PID:5444
- C:\Windows\system32\netsh.exe
  netsh winhttp reset proxy
  2⤵
  PID:2628
- C:\Windows\system32\netsh.exe
  netsh winsock reset
  2⤵
  PID:4424
- C:\Windows\system32\netsh.exe
  netsh wlan stop hostednetwork
  2⤵
  PID:1284
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f
  2⤵
  PID:5208
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:3768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DisableSmartNameResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:4052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f
  2⤵
  PID:3924
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched" /v "NonBestEffortLimit" /t REG_DWORD /d "0" /f
  2⤵
  PID:4832
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Psched" /v "TimerResolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:6028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f
  2⤵
  PID:2032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "DisableParallelAandAAAA" /t REG_DWORD /d "1" /f
  2⤵
  PID:5532
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f
  2⤵
  PID:5540
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\AFD\Parameters" /v "DoNotHoldNicBuffers" /t REG_DWORD /d "1" /f
  2⤵
  PID:4588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\NDIS\Parameters" /v "TrackNblOwner" /t REG_DWORD /d "0" /f
  2⤵
  PID:5576
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\NetBT\Parameters" /v "EnableLMHOSTS" /t REG_DWORD /d "0" /f
  2⤵
  PID:2052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\QoS" /v "Do not use NLA" /t REG_SZ /d "1" /f
  2⤵
  PID:5260
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f
  2⤵
  PID:1052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "EnableICMPRedirect" /t REG_DWORD /d "0" /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "IGMPLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f
  2⤵
  PID:5940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "1" /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "30" /f
  2⤵
  PID:6040
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "UseDomainNameDevolution" /t REG_DWORD /d "0" /f
  2⤵
  PID:4488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "EnableWsd" /t REG_DWORD /d "0" /f
  2⤵
  PID:4348
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "TCPCongestionControl" /t REG_DWORD /d "1" /f
  2⤵
  PID:6068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f
  2⤵
  PID:4824
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f
  2⤵
  PID:3980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f
  2⤵
  PID:5124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters" /v " DisableDHCPMediaSense" /t REG_DWORD /d 1 /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
  2⤵
  PID:2636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
  2⤵
  PID:3492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "IRPStackSize" /t REG_DWORD /d "32" /f
  2⤵
  PID:5796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "16384" /f
  2⤵
  PID:3204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxWorkItems" /t REG_DWORD /d "8192" /f
  2⤵
  PID:5936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxMpxCt" /t REG_DWORD /d "2048" /f
  2⤵
  PID:4336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxCmds" /t REG_DWORD /d "2048" /f
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "DisableStrictNameChecking" /t REG_DWORD /d "1" /f
  2⤵
  PID:3324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d "3" /f
  2⤵
  PID:6064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "EnableOplocks" /t REG_DWORD /d "0" /f
  2⤵
  PID:3220
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SharingViolationDelay" /t REG_DWORD /d "0" /f
  2⤵
  PID:5652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SharingViolationRetries" /t REG_DWORD /d "0" /f
  2⤵
  PID:3588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d "16" /f
  2⤵
  PID:5680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d "16" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\0" /v "0200" /t REG_BINARY /d "0000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000ff000000000000000000000000000000" /f
  2⤵
  PID:5256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\0" /v "1700" /t REG_BINARY /d "0000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000ff000000000000000000000000000000" /f
  2⤵
  PID:512
- C:\Windows\system32\netsh.exe
  netsh winsock set autotuning on
  2⤵
  PID:4776
- C:\Windows\system32\netsh.exe
  netsh int ip set global neighborcachelimit=4096
  2⤵
  PID:5360
- C:\Windows\system32\netsh.exe
  netsh int ip set global routecachelimit=4096
  2⤵
  PID:1412
- C:\Windows\system32\netsh.exe
  netsh int ip set global sourceroutingbehavior=drop
  2⤵
  PID:3836
- C:\Windows\system32\netsh.exe
  netsh int ip set global taskoffload=disabled
  2⤵
  PID:1180
- C:\Windows\system32\netsh.exe
  netsh int ip set interface ethernet currenthoplimit=64
  2⤵
  PID:4004
- C:\Windows\system32\netsh.exe
  netsh int tcp set global ecncapability=disabled
  2⤵
  PID:2084
- C:\Windows\system32\netsh.exe
  netsh int tcp set global congestionprovider=ctcp
  2⤵
  PID:5036
- C:\Windows\system32\netsh.exe
  netsh int tcp set global netdma=enabled
  2⤵
  PID:2380
- C:\Windows\system32\netsh.exe
  netsh int tcp set global dca=enabled
  2⤵
  PID:5960
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rss=enabled
  2⤵
  PID:1908
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rsc=disabled
  2⤵
  PID:4020
- C:\Windows\system32\netsh.exe
  netsh int tcp set global nonsackrttresiliency=disabled
  2⤵
  PID:2552
- C:\Windows\system32\netsh.exe
  netsh int tcp set global maxsynretransmissions=2
  2⤵
  PID:5812
- C:\Windows\system32\netsh.exe
  netsh int tcp set global fastopen=enabled
  2⤵
  PID:3904
- C:\Windows\system32\netsh.exe
  netsh int tcp set global timestamps=disabled
  2⤵
  - System Time Discovery
  PID:232
- C:\Windows\system32\netsh.exe
  netsh int tcp set global initialRto=3000
  2⤵
  PID:6008
- C:\Windows\system32\netsh.exe
  netsh int tcp set global MinRto=300
  2⤵
  PID:3688
- C:\Windows\system32\netsh.exe
  netsh int udp set global uro=enabled
  2⤵
  PID:2832
- C:\Windows\system32\netsh.exe
  netsh int ipv4 set global defaultcurhoplimit=64
  2⤵
  PID:5352
- C:\Windows\system32\netsh.exe
  netsh int isatap set state disable
  2⤵
  PID:5320
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=enabled
  2⤵
  PID:3424
- C:\Windows\system32\netsh.exe
  netsh int tcp set security profiles=disabled
  2⤵
  PID:5460
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=normal
  2⤵
  PID:720
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  PID:4456
- C:\Windows\system32\netsh.exe
  netsh int tcp set supplemental template=custom icw=10
  2⤵
  PID:4676
- C:\Windows\system32\netsh.exe
  netsh int teredo set state disabled
  2⤵
  PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetOffloadGlobalSetting -Chimney disabled
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted Set-NetOffloadGlobalSetting -PacketCoalescingFilter enabled
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted "Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6, ms_msclient, ms_server, ms_lldp, ms_lltdio, ms_rspndr"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile "$net=get-netconnectionprofile; Set-NetConnectionProfile -Name $net.Name -NetworkCategory Private"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ip show interfaces | findstr [0-9]
  2⤵
  PID:2276
- - C:\Windows\system32\netsh.exe
    netsh int ip show interfaces
    3⤵
    PID:5196
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:4556
- C:\Windows\system32\netsh.exe
  netsh int ip set interface 6 basereachable=3600000 dadtransmits=0 otherstateful=disabled routerdiscovery=disabled store=persistent
  2⤵
  PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg.exe Query HKLM\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces /f "NetbiosOptions" /v /s|Findstr HKEY_
  2⤵
  PID:2864
- - C:\Windows\system32\reg.exe
    Reg.exe Query HKLM\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces /f "NetbiosOptions" /v /s
    3⤵
    - Modifies registry key
    PID:5996
- - C:\Windows\system32\findstr.exe
    Findstr HKEY_
    3⤵
    PID:5660
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{53879f23-9912-4397-bdf0-c16929c7129c} /v NetbiosOptions /t REG_DWORD /d 2 /f
  2⤵
  PID:4852
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{53879f23-9912-4397-bdf0-c16929c7129c} /v EnableNagling /t REG_DWORD /d 0 /f
  2⤵
  PID:804
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{de4728ed-71d3-42d8-81dd-403f0f3cbed6} /v NetbiosOptions /t REG_DWORD /d 2 /f
  2⤵
  PID:836
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{de4728ed-71d3-42d8-81dd-403f0f3cbed6} /v EnableNagling /t REG_DWORD /d 0 /f
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg.exe query "HKLM\System\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /f "PCI\VEN_" /d /s|Findstr HKEY_
  2⤵
  PID:4796
- - C:\Windows\system32\reg.exe
    Reg.exe query "HKLM\System\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /f "PCI\VEN_" /d /s
    3⤵
    PID:3044
- - C:\Windows\system32\findstr.exe
    Findstr HKEY_
    3⤵
    PID:5244
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v "TxIntDelay" /t REG_SZ /d "5" /f
  2⤵
  PID:5556
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v "ulpmode" /t REG_SZ /d "0" /f
  2⤵
  PID:5800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg.exe query HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces
  2⤵
  PID:4020
- - C:\Windows\system32\reg.exe
    Reg.exe query HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces
    3⤵
    - Modifies registry key
    PID:1620
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{53879f23-9912-4397-bdf0-c16929c7129c} /v "UseZeroBroadcast" /d "0" /t REG_DWORD /f
  2⤵
  PID:2096
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{53879f23-9912-4397-bdf0-c16929c7129c} /v "IPAutoconfigurationEnabled" /d "0" /t REG_DWORD /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{a31980ab-84ce-11ef-af16-806e6f6e6963} /v "UseZeroBroadcast" /d "0" /t REG_DWORD /f
  2⤵
  PID:4448
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{a31980ab-84ce-11ef-af16-806e6f6e6963} /v "IPAutoconfigurationEnabled" /d "0" /t REG_DWORD /f
  2⤵
  PID:5812
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{de4728ed-71d3-42d8-81dd-403f0f3cbed6} /v "UseZeroBroadcast" /d "0" /t REG_DWORD /f
  2⤵
  PID:5804
- C:\Windows\system32\reg.exe
  Reg.exe add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{de4728ed-71d3-42d8-81dd-403f0f3cbed6} /v "IPAutoconfigurationEnabled" /d "0" /t REG_DWORD /f
  2⤵
  PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards" /f "ServiceName" /s|findstr /i /l "ServiceName"
  2⤵
  PID:312
- - C:\Windows\system32\reg.exe
    Reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards" /f "ServiceName" /s
    3⤵
    PID:232
- - C:\Windows\system32\findstr.exe
    findstr /i /l "ServiceName"
    3⤵
    PID:5468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{DE4728ED-71D3-42D8-81DD-403F0F3CBED6}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
  2⤵
  PID:6008
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{DE4728ED-71D3-42D8-81DD-403F0F3CBED6}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:5448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{DE4728ED-71D3-42D8-81DD-403F0F3CBED6}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
  2⤵
  PID:5176
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{DE4728ED-71D3-42D8-81DD-403F0F3CBED6}" /v "TcpInitialRTT" /t REG_DWORD /d "0" /f
  2⤵
  PID:5264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{DE4728ED-71D3-42D8-81DD-403F0F3CBED6}" /v "DeadGWDetectDefault" /t REG_DWORD /d "1" /f
  2⤵
  PID:2832
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Services\Psched\Parameters\Adapters\{DE4728ED-71D3-42D8-81DD-403F0F3CBED6}" /v "NonBestEffortLimit" /t REG_DWORD /d "0" /f
  2⤵
  PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards" /k /v /f "Description" /s /e | findstr /ri "REG_SZ"
  2⤵
  PID:5352
- - C:\Windows\system32\reg.exe
    Reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards" /k /v /f "Description" /s /e
    3⤵
    PID:5348
- - C:\Windows\system32\findstr.exe
    findstr /ri "REG_SZ"
    3⤵
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" /s /f "RTL8139C+ Fast Ethernet NIC" /d | findstr /C:"HKEY"
  2⤵
  PID:948
- - C:\Windows\system32\reg.exe
    Reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" /s /f "RTL8139C+ Fast Ethernet NIC" /d
    3⤵
    PID:2284
- - C:\Windows\system32\findstr.exe
    findstr /C:"HKEY"
    3⤵
    PID:3424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnMagicPacket" /t REG_SZ /d "0" /f
  2⤵
  PID:3040
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnPattern" /t REG_SZ /d "0" /f
  2⤵
  PID:5460
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*FlowControl" /t REG_SZ /d "0" /f
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EEE" /t REG_SZ /d "0" /f
  2⤵
  PID:1652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnablePME" /t REG_SZ /d "0" /f
  2⤵
  PID:2356
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnLink" /t REG_SZ /d "0" /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EEELinkAdvertisement" /t REG_SZ /d "0" /f
  2⤵
  PID:4420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ReduceSpeedOnPowerDown" /t REG_SZ /d "0" /f
  2⤵
  PID:4516
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerSavingMode" /t REG_SZ /d "0" /f
  2⤵
  PID:1812
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableGreenEthernet" /t REG_SZ /d "0" /f
  2⤵
  PID:5104
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "S5WakeOnLan" /t REG_SZ /d "0" /f
  2⤵
  PID:4468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ULPMode" /t REG_SZ /d "0" /f
  2⤵
  PID:5592
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "GigaLite" /t REG_SZ /d "0" /f
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableSavePowerNow" /t REG_SZ /d "0" /f
  2⤵
  PID:4668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnablePowerManagement" /t REG_SZ /d "0" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableDynamicPowerGating" /t REG_SZ /d "0" /f
  2⤵
  PID:3608
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableConnectedPowerGating" /t REG_SZ /d "0" /f
  2⤵
  PID:3312
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AutoPowerSaveModeEnabled" /t REG_SZ /d "0" /f
  2⤵
  PID:4848
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AutoDisableGigabit" /t REG_SZ /d "0" /f
  2⤵
  PID:2204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AdvancedEEE" /t REG_SZ /d "0" /f
  2⤵
  PID:3396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerDownPll" /t REG_SZ /d "0" /f
  2⤵
  PID:4440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "S5NicKeepOverrideMacAddrV2" /t REG_SZ /d "0" /f
  2⤵
  PID:3560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "JumboPacket" /t REG_SZ /d "0" /f
  2⤵
  PID:3184
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ITR" /t REG_SZ /d "125" /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ReceiveBuffers" /t REG_SZ /d "266" /f
  2⤵
  PID:632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "TransmitBuffers" /t REG_SZ /d "266" /f
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WolShutdownLinkSpeed" /t REG_SZ /d "2" /f
  2⤵
  PID:5208
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV2IPv4" /t REG_SZ /d "0" /f
  2⤵
  PID:6012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV2IPv6" /t REG_SZ /d "0" /f
  2⤵
  PID:4132
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PnPCapabilities" /t REG_DWORD /d "24" /f
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "UDPChecksumOffloadIPv6" /t REG_SZ /d "0" /f
  2⤵
  PID:4368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "IPChecksumOffloadIPv4" /t REG_SZ /d "0" /f
  2⤵
  PID:4968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "UDPChecksumOffloadIPv4" /t REG_SZ /d "0" /f
  2⤵
  PID:3724
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PMARPOffload" /t REG_SZ /d "0" /f
  2⤵
  PID:5576
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PMNSOffload" /t REG_SZ /d "0" /f
  2⤵
  PID:5516
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "TCPChecksumOffloadIPv4" /t REG_SZ /d "0" /f
  2⤵
  PID:4636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "TCPChecksumOffloadIPv6" /t REG_SZ /d "0" /f
  2⤵
  PID:6060
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4196
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:940
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " T" nul
  2⤵
  PID:3928
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:5884
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5088
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:3516
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:5180
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:1632
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:2040
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:3204
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:3588
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:3680
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:3268
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "d" nul
  2⤵
  PID:1700
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " s" nul
  2⤵
  PID:4836
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:4776
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:5944
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:1676
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2424
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:624
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "f" nul
  2⤵
  PID:3648
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:216
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1268
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:4000
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:3192
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:5196
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3044
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:2728
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:2812
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:1968
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " P" nul
  2⤵
  PID:3468
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:3920
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4468
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:4828
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:4668
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5820
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:3312
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5172
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5080
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "t" nul
  2⤵
  PID:3260
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:4848
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:5552
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5948
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:5536
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2032
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:4696
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:3724
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:5112
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "r" nul
  2⤵
  PID:6060
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5796
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:5192
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:2644
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:1512
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1880
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:5652
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:644
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "n" nul
  2⤵
  PID:4776
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "g" nul
  2⤵
  PID:1676
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:624
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:4316
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1268
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:2576
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:2828
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1556
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:2248
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:4556
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:3156
- C:\Windows\system32\chcp.com
  chcp 852
  2⤵
  PID:4040
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="Block Windows Telemetry" dir=in action=block remoteip=134.170.30.202,137.116.81.24,157.56.106.189,184.86.53.99,2.22.61.43,2.22.61.66,204.79.197.200,23.218.212.69,65.39.117.23,65.55.108.23,64.4.54.254 enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:2724
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="Block NVIDIA Telemetry" dir=in action=block remoteip=8.36.80.197,8.36.80.224,8.36.80.252,8.36.113.118,8.36.113.141,8.36.80.230,8.36.80.231,8.36.113.126,8.36.80.195,8.36.80.217,8.36.80.237,8.36.80.246,8.36.113.116,8.36.113.139,8.36.80.244,216.228.121.209 enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:5504
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:5072
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f
  2⤵
  PID:3004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2460
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5364
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5592
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:5820
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:3316
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /V AITEnable /T REG_DWORD /d 0 /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
  2⤵
  PID:3604
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  PID:3184
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
  2⤵
  PID:3396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:5424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "SettingsVersion" /t REG_DWORD /d "3" /f
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5640
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4696
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:5644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:6056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:6104
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\NeuronX-main\NeuronX-main\download\NeuronF_V1.1.bat" "
1⤵
PID:1380
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3204
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:2760
- C:\Windows\system32\reg.exe
  Reg.exe add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:5376
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  Reg.exe query "HKU\S-1-5-19\Environment"
  2⤵
  PID:1164
- C:\Windows\system32\reg.exe
  Reg.exe query "HKCU\Software\Neuron" /v "Disclaimer"
  2⤵
  PID:1292
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5060
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5420
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3420
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3932
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " P" nul
  2⤵
  PID:5036
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:6136
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2380
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5660
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:6020
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:3816
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:4840
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:4876
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:2328
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "t" nul
  2⤵
  PID:5708
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:5556
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:640
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:1620
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:2724
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2552
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:3728
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:3532
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:4764
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "r" nul
  2⤵
  PID:232
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:6008
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:5176
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:2056
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:3940
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:5320
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:4976
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:4276
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "n" nul
  2⤵
  PID:2284
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "g" nul
  2⤵
  PID:4880
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:3040
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:5116
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5848
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:2288
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:2540
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:980
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:2108
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:5104
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  PID:224
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t REG_DWORD /d "2" /f
  2⤵
  PID:1388
- C:\Windows\system32\sc.exe
  sc config "AxInstSV RemoteRegistry lmhosts tzautoupdate WSearch LanmanWorkstation bthserv dmwappushservice MapsBroker lfsvc SharedAccess lltdsvc AppVClient NetTcpPortSharing CscService PhoneSvc Spooler PrintNotify QWAVE RmSvc RemoteAccess SensorDataService SensrSvc SensorService ShellHWDetection SCardSvr ScDeviceEnum SSDPSRV WiaRpc TabletInputService upnphost UevAgentService WalletService FrameServer stisvc wisvc icssvc WSearch XblAuthManager" start= disabled
  2⤵
  - Launches sc.exe
  PID:4280
- C:\Windows\system32\sc.exe
  sc config "AJRouter ALG AppIDSvc AppMgmt AppReadiness SCPolicySvc AppVClient XboxGipSvc AppXSvc Appinfo AssignedAccessManagerSvc wcncsvc BDESVC BFE BTAGService CertPropSvc FontCache3.0.0.0 p2psvc WaaSMedicSvc" start= demand
  2⤵
  - Launches sc.exe
  PID:1204
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5172
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " T" nul
  2⤵
  PID:4632
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:3092
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5444
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:1404
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:3184
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:632
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:4888
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:5208
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:3768
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:3868
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4832
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "d" nul
  2⤵
  PID:4968
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " s" nul
  2⤵
  PID:2052
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:6040
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:6036
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "c" nul
  2⤵
  PID:5456
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:4196
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:4264
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "f" nul
  2⤵
  PID:4424
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "u" nul
  2⤵
  PID:5384
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:6016
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:2644
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:4396
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1632
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:3588
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:5920
- C:\Windows\system32\mode.com
  mode 95,29
  2⤵
  PID:2416
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " P" nul
  2⤵
  PID:1588
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:1492
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1616
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:6084
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:3160
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:1876
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:4004
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5060
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:5368
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "t" nul
  2⤵
  PID:4000
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:3192
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:3836
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:4216
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:6136
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5004
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " w" nul
  2⤵
  PID:4308
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:2248
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:5984
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "r" nul
  2⤵
  PID:6004
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5960
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " a" nul
  2⤵
  PID:4796
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:3156
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "p" nul
  2⤵
  PID:5852
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "l" nul
  2⤵
  PID:4040
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "y" nul
  2⤵
  PID:1172
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "i" nul
  2⤵
  PID:2096
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "n" nul
  2⤵
  PID:5808
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "g" nul
  2⤵
  PID:4412
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:5804
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "h" nul
  2⤵
  PID:5732
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:3904
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" " t" nul
  2⤵
  PID:3548
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "w" nul
  2⤵
  PID:6008
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "e" nul
  2⤵
  PID:5176
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "a" nul
  2⤵
  PID:5544
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "k" nul
  2⤵
  PID:3276
- C:\Windows\system32\findstr.exe
  findstr /v /a:F /R "^$" "s" nul
  2⤵
  PID:4220
- C:\Windows\system32\net.exe
  net stop wuauserv
  2⤵
  PID:5596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wuauserv
    3⤵
    PID:2024
- C:\Windows\system32\net.exe
  net stop usoSvc
  2⤵
  PID:3696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop usoSvc
    3⤵
    PID:2548
- C:\Windows\system32\net.exe
  net stop bit
  2⤵
  PID:3556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bit
    3⤵
    PID:5864
- C:\Windows\system32\net.exe
  net stop dosvc
  2⤵
  PID:5424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop dosvc
    3⤵
    PID:976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil.exe el
  2⤵
  PID:5516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe el
    3⤵
    PID:5124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "AMSI/Debug"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "AirSpaceChannel"
  2⤵
  PID:3928
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Analytic"
  2⤵
  PID:5884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Application"
  2⤵
  PID:6016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "DirectShowFilterGraph"
  2⤵
  PID:6064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "DirectShowPluginControl"
  2⤵
  - Clears Windows event logs
  PID:3220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Els_Hyphenation/Analytic"
  2⤵
  PID:972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "EndpointMapper"
  2⤵
  - Clears Windows event logs
  PID:5680
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "FirstUXPerf-Analytic"
  2⤵
  PID:5304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "ForwardedEvents"
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "General Logging"
  2⤵
  PID:2416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "HardwareEvents"
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "IHM_DebugChannel"
  2⤵
  PID:4648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
  2⤵
  PID:1616
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
  2⤵
  PID:6084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
  2⤵
  PID:5092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
  2⤵
  PID:5916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
  2⤵
  PID:4000
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Internet Explorer"
  2⤵
  PID:2480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Key Management Service"
  2⤵
  PID:2216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
  2⤵
  PID:1536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
  2⤵
  PID:2380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationFrameServer"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MedaFoundationVideoProc"
  2⤵
  PID:6000
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MedaFoundationVideoProcD3D"
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationAsyncWrapper"
  2⤵
  PID:4484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationContentProtection"
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationDS"
  2⤵
  PID:924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationDeviceProxy"
  2⤵
  PID:4796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationMP4"
  2⤵
  PID:5800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationMediaEngine"
  2⤵
  PID:640
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPerformance"
  2⤵
  PID:5580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPerformanceCore"
  2⤵
  PID:5808
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPipeline"
  2⤵
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPlatform"
  2⤵
  PID:5804
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationSrcPrefetch"
  2⤵
  PID:4784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
  2⤵
  PID:232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Admin"
  2⤵
  PID:3548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Debug"
  2⤵
  PID:5452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Operational"
  2⤵
  PID:3992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
  2⤵
  PID:2056
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
  2⤵
  PID:2728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
  2⤵
  PID:2812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
  2⤵
  PID:3888
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-IE/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:5352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
  2⤵
  PID:4976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
  2⤵
  PID:4376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
  2⤵
  PID:1104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
  2⤵
  PID:2356
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
  2⤵
  PID:3468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
  2⤵
  PID:968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
  2⤵
  PID:1204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
  2⤵
  - Clears Windows event logs
  PID:4552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
  2⤵
  PID:1584
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
  2⤵
  PID:5208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
  2⤵
  PID:5388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8e68fc0d-cdea-4cf0-b3b5-b7216343f068.tmp

Filesize
10KB

MD5
8dc231ca280214e08a846c5ad5767a10

SHA1
70960404161075cf702ac6e49b48c79e9f285724

SHA256
5ef4a0149858e78ad6813ec818e8bae5c5db9547d009d15889e7a49a2c31545a

SHA512
ffc8dc2444901b0c2710d50b65535260db4c2cf22e84f0b901c2654dcce35a377abb0d8c33ba29ce98a2c4b052d9ddcd3dca51c37001c33331bc6418e30ece22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7ee865ca4a0f0567cd90c1ac0aa02bef

SHA1
90582c3c2c2984c8e1b0dc6eb43660b165fd4e95

SHA256
91e617d23cc8b5e3814e25c3245db5f7c9f79995e943a757bf554f8aa33906c4

SHA512
39967bde95825c17f5ecfffe35b9b2fb387ee3056aea39252d791e39d9c247419ae61c2d5de20bc7468bf6da48694d9b847c2908d4bf619f396be28ce99fdffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
31c9efd54a592fca654d5b3e724af7b6

SHA1
196099cabf7bdc32c016c8eff4cad22426e6954a

SHA256
e3701b95ab0daf8773d3ec07c648b0f10d1151bf898202031ec8ef79a510d9b8

SHA512
fe6b31b53cf98e8b62ee661fa759c985e8b4e10fd1981581be8020c54d564e1c57a550ba73282697d8f0e132b4e01c3d52205d69d7354abf7b98fcdc7406c484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2745bc618302ce15482c9fa5ac5e745c

SHA1
accc23436f8c9f197e152c67bdf15959390f823a

SHA256
da93bd14bd6c1853d44502abb3497e9a161104bf8c168713399a1cc65b743002

SHA512
b0082cab8ad2eb0e6155a0735ccc35b1dedb7526792fcf82ed7fcdf006c61e81735f78dbc7467be56ee217fdc9369a3d4bb53363486e20f2283c17b3c92980d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3afffc8f0574e6d4774931d69514cbe4

SHA1
cf7643c77ea759de995f3e79b8397f0ce2326af6

SHA256
9b5fa8a080daa77abb992daed3e3279bd86eed4f6d01e056944f2e967a68267c

SHA512
754b1405edd214800393eb96844e92c052799d4e364c8b4b5358a95ec404885ac926398c77ad9626b141774e9a041848f1ab8fc3d45dc2f99406e57c5a76027f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a430ca8299db301389cc081dd7a99721

SHA1
78c37a1255ace1b8e9a63dfafd7810a22f9aa3bf

SHA256
6ff2a90ee69935e5d821889dc618977dac14002cdcc91511ff44c95d4755180d

SHA512
4a02366bf8965caf010a40457b614260349fecb870523d8110ab0d02d91fd9f2c7d9777a19b360bb378b9fa9b3d28d83c2767e676f33b0cb054d9f4a14ee6848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ede4e71f19284bcd0c03a6024e57e4a9

SHA1
5d02258d1107bac9053919079091ae54f428204d

SHA256
277780c82b192f12f824db5f4bb248e72dc5972d015f44f10df58c9ca703e9ff

SHA512
ca28dd23409df53c5b92d11f4e31e3ecd18ee7f04c26dc356b27d1d83a73947e53af6aa81e08ec27f7921375186d663aa91de84386fd682eab3625c6fe70f382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
22e98e5afe0497a225877c8778dfccca

SHA1
ec08c8cc367d406207d34497ca73dd025a1b8315

SHA256
67876b41d36d05de99e0b9fd98b8e336556e131deace8f33bc8c55ccb6d95119

SHA512
7e495123104f6c68bc047f93d6dd5b334d776bd1ee50a1090b91d62cea0e23eaa2e7304b7ecf4a337d2627d2e7e571cfb483edd92eb28fd7b17d572df2a6d22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
09e033cdbd23bd3b4442e6c8eec20d84

SHA1
4cef79f7f5500a880b50bb87733b86c8a7eb2735

SHA256
56fe8790b140370011575977b212885bc84b6e64f5805cf3140bf6728f967a65

SHA512
e5d4df83bcbf56956109f00e97f51f652c14292479cd5d10281576fcbd25ccf05dd30969337dd70982ca4db23c17be97f2d15a61d1fbe8e8e4802333148d52e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mbukskyt.50z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\NeuronX-main\NeuronX-main\download\ P

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 913389.crdownload

Filesize
8.3MB

MD5
11d12f5775d6a1790fa933e7c3a1e5a0

SHA1
df91d70a7c9799732dc6a5cf08a320b9067494bd

SHA256
5c82e63ca28e4656507ef64c6491a21f946dba9fb3d064c9e459f34babd20d7b

SHA512
44a700a7ca0f461625ec269b833cb89823165a55cb14c992b0c59ac4849bb715ed686e6e44459bd4795c337cdbb65a9434f1cdffc23bbc14b24d115c99d77511

Download Submit
\??\pipe\LOCAL\crashpad_3096_AIJKQIAUQNYHFHFD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3560-702-0x000001FEBF0F0000-0x000001FEBF112000-memory.dmp

Filesize
136KB

Download
memory/4632-389-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-388-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-395-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-399-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-398-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-397-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-396-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-394-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-393-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download
memory/4632-387-0x0000022C50F10000-0x0000022C50F11000-memory.dmp

Filesize
4KB

Download