bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31

Resubmissions

21-11-2024 10:17

241121-mbp4ca1mft 10

21-11-2024 10:13

241121-l89ctawjak 10

Analysis

max time kernel
48s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Octo Free Tweaking Utility V1.0.bat
Size

32KB
MD5

8392add3fcbeded059c0788e13305148
SHA1

aabebd21818beb9d92354a26bff3b091f6d33070
SHA256

bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31
SHA512

454321ad19d4544632c51d02a2cd9adb48d856a982e45afdf2c2abd06412a212bb4ee60075ceee1f46370ecb722ed73d0749fd9cae1f627cfd3013d221728774
SSDEEP

384:5TFAFXvNHSuTB4VPVVpZzBYqvRBzalRL/TJ:5TqXDSPVVpZzclRL/TJ

Score

10^/10

discovery evasion execution persistence privilege_escalation ransomware

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

4600 bcdedit.exe
4956 bcdedit.exe
1456 bcdedit.exe
888 bcdedit.exe
Modifies Windows Firewall 2 TTPs 5 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

796 netsh.exe
3240 netsh.exe
4316 netsh.exe
368 netsh.exe
3316 netsh.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4600	bcdedit.exe
4956	bcdedit.exe
1456	bcdedit.exe
888	bcdedit.exe

pid	process
796	netsh.exe
3240	netsh.exe
4316	netsh.exe
368	netsh.exe
3316	netsh.exe

Power Settings 1 TTPs 64 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exereg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exereg.exepowercfg.exepowercfg.exereg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exereg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exereg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
2344	powercfg.exe
2652	powercfg.exe
4948	powercfg.exe
4504	powercfg.exe
1596	powercfg.exe
3120	powercfg.exe
4084	powercfg.exe
1532	powercfg.exe
4332	powercfg.exe
4604	reg.exe
544	powercfg.exe
4956	powercfg.exe
2880	powercfg.exe
1348	powercfg.exe
5096	powercfg.exe
4600	powercfg.exe
3608	powercfg.exe
2140	powercfg.exe
4340	powercfg.exe
1188	powercfg.exe
2060	powercfg.exe
3016	powercfg.exe
4444	powercfg.exe
4984	powercfg.exe
1284	reg.exe
4408	powercfg.exe
4292	powercfg.exe
3376	reg.exe
2084	powercfg.exe
4936	powercfg.exe
3924	powercfg.exe
4844	powercfg.exe
4108	powercfg.exe
4392	powercfg.exe
4488	powercfg.exe
4448	powercfg.exe
4416	powercfg.exe
4136	reg.exe
2240	powercfg.exe
4412	powercfg.exe
1500	powercfg.exe
2212	powercfg.exe
4740	powercfg.exe
1464	powercfg.exe
3292	powercfg.exe
1136	powercfg.exe
4776	powercfg.exe
3660	powercfg.exe
4316	powercfg.exe
2688	powercfg.exe
3444	powercfg.exe
4516	powercfg.exe
1496	powercfg.exe
4392	powercfg.exe
2840	powercfg.exe
2892	reg.exe
4452	powercfg.exe
1012	powercfg.exe
1956	powercfg.exe
4636	powercfg.exe
2940	powercfg.exe
3904	powercfg.exe
688	powercfg.exe
1696	powercfg.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3016	sc.exe
2880	sc.exe
3844	sc.exe
2004	sc.exe
3128	sc.exe
3976	sc.exe
2892	sc.exe
1652	sc.exe
4024	sc.exe
2520	sc.exe
4600	sc.exe
1196	sc.exe
5076	sc.exe
4628	sc.exe
4232	sc.exe
4864	sc.exe
4444	sc.exe
3596	sc.exe
4556	sc.exe
4864	sc.exe
4000	sc.exe
216	sc.exe
3608	sc.exe
3496	sc.exe
4792	sc.exe
3784	sc.exe
3856	sc.exe
2688	sc.exe
4860	sc.exe
4092	sc.exe
1988	sc.exe
3376	sc.exe
4308	sc.exe
2420	sc.exe
5072	sc.exe
5108	sc.exe
2668	sc.exe
3940	sc.exe
1904	sc.exe
4504	sc.exe
4508	sc.exe
2620	sc.exe
3144	sc.exe
4320	sc.exe
4316	sc.exe
3100	sc.exe
3952	sc.exe
368	sc.exe
4292	sc.exe
2660	sc.exe
1556	sc.exe
4292	sc.exe
2504	sc.exe
3304	sc.exe
216	sc.exe
2996	sc.exe
1888	sc.exe
3008	sc.exe
1208	sc.exe
4408	sc.exe
1484	sc.exe
4464	sc.exe
4668	sc.exe
2912	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Time Discovery 1 TTPs 3 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
discovery

System Time Discovery
T1124

Processes:

reg.exereg.exereg.exe

pid process

2756 reg.exe
2500 reg.exe
4564 reg.exe

pid	process
2756	reg.exe
2500	reg.exe
4564	reg.exe

Gathers network information 2 TTPs 9 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
4580	ipconfig.exe
1316	ipconfig.exe
748	ipconfig.exe
2388	ipconfig.exe
1624	ipconfig.exe
4828	ipconfig.exe
2004	ipconfig.exe
4516	ipconfig.exe
452	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnableEnhancedSecurity = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnableEnhancedSecurity = "0"	reg.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2156 schtasks.exe

pid	process
2156	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	3244	powercfg.exe
Token: SeCreatePagefilePrivilege	3244	powercfg.exe
Token: SeShutdownPrivilege	3244	powercfg.exe
Token: SeCreatePagefilePrivilege	3244	powercfg.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	4776	powercfg.exe
Token: SeCreatePagefilePrivilege	4776	powercfg.exe
Token: SeShutdownPrivilege	5096	powercfg.exe
Token: SeCreatePagefilePrivilege	5096	powercfg.exe
Token: SeShutdownPrivilege	3924	powercfg.exe
Token: SeCreatePagefilePrivilege	3924	powercfg.exe
Token: SeShutdownPrivilege	2840	powercfg.exe
Token: SeCreatePagefilePrivilege	2840	powercfg.exe
Token: SeShutdownPrivilege	4908	powercfg.exe
Token: SeCreatePagefilePrivilege	4908	powercfg.exe
Token: SeShutdownPrivilege	4864	powercfg.exe
Token: SeCreatePagefilePrivilege	4864	powercfg.exe
Token: SeShutdownPrivilege	2940	powercfg.exe
Token: SeCreatePagefilePrivilege	2940	powercfg.exe
Token: SeShutdownPrivilege	2200	powercfg.exe
Token: SeCreatePagefilePrivilege	2200	powercfg.exe
Token: SeShutdownPrivilege	1464	powercfg.exe
Token: SeCreatePagefilePrivilege	1464	powercfg.exe
Token: SeShutdownPrivilege	3760	powercfg.exe
Token: SeCreatePagefilePrivilege	3760	powercfg.exe
Token: SeShutdownPrivilege	4844	powercfg.exe
Token: SeCreatePagefilePrivilege	4844	powercfg.exe
Token: SeShutdownPrivilege	4316	powercfg.exe
Token: SeCreatePagefilePrivilege	4316	powercfg.exe
Token: SeShutdownPrivilege	1596	powercfg.exe
Token: SeCreatePagefilePrivilege	1596	powercfg.exe
Token: SeShutdownPrivilege	544	powercfg.exe
Token: SeCreatePagefilePrivilege	544	powercfg.exe
Token: SeShutdownPrivilege	3516	powercfg.exe
Token: SeCreatePagefilePrivilege	3516	powercfg.exe
Token: SeShutdownPrivilege	4292	powercfg.exe
Token: SeCreatePagefilePrivilege	4292	powercfg.exe
Token: SeShutdownPrivilege	4340	powercfg.exe
Token: SeCreatePagefilePrivilege	4340	powercfg.exe
Token: SeShutdownPrivilege	864	powercfg.exe
Token: SeCreatePagefilePrivilege	864	powercfg.exe
Token: SeShutdownPrivilege	2688	powercfg.exe
Token: SeCreatePagefilePrivilege	2688	powercfg.exe
Token: SeShutdownPrivilege	3120	powercfg.exe
Token: SeCreatePagefilePrivilege	3120	powercfg.exe
Token: SeShutdownPrivilege	3292	powercfg.exe
Token: SeCreatePagefilePrivilege	3292	powercfg.exe
Token: SeShutdownPrivilege	4084	powercfg.exe
Token: SeCreatePagefilePrivilege	4084	powercfg.exe
Token: SeShutdownPrivilege	4108	powercfg.exe
Token: SeCreatePagefilePrivilege	4108	powercfg.exe
Token: SeShutdownPrivilege	2240	powercfg.exe
Token: SeCreatePagefilePrivilege	2240	powercfg.exe
Token: SeShutdownPrivilege	4600	powercfg.exe
Token: SeCreatePagefilePrivilege	4600	powercfg.exe
Token: SeShutdownPrivilege	1532	powercfg.exe
Token: SeCreatePagefilePrivilege	1532	powercfg.exe
Token: SeShutdownPrivilege	4956	powercfg.exe
Token: SeCreatePagefilePrivilege	4956	powercfg.exe
Token: SeShutdownPrivilege	4392	powercfg.exe
Token: SeCreatePagefilePrivilege	4392	powercfg.exe
Token: SeShutdownPrivilege	4488	powercfg.exe
Token: SeCreatePagefilePrivilege	4488	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4188 wrote to memory of 4940	4188	cmd.exe	cmd.exe
PID 4188 wrote to memory of 4940	4188	cmd.exe	cmd.exe
PID 4940 wrote to memory of 2936	4940	cmd.exe	findstr.exe
PID 4940 wrote to memory of 2936	4940	cmd.exe	findstr.exe
PID 4188 wrote to memory of 1196	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 1196	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2252	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2252	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4724	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4724	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3016	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3016	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3144	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3144	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2008	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2008	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3128	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3128	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 1192	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 1192	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 560	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 560	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 1188	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 1188	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4980	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4980	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3124	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3124	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 1204	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 1204	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3080	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3080	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 884	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 884	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4540	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 4540	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 5072	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 5072	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 3244	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 3244	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 3952	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 3952	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 2912	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 2912	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 2420	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 2420	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 3084	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 3084	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 4636	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 4636	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 2708	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2708	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3460	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 3460	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 680	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 680	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 4408	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 4408	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 4456	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4456	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2524	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2524	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2356	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 2356	4188	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    3⤵
    PID:2936
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "GameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:4724
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_ScreenshotShortcutEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3016
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3144
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "TcpNoDelay" /t REG_DWORD /d 1 /f
  2⤵
  PID:3128
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "LowLatencyMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:1192
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Path\To\Fortnite.exe" /t REG_SZ /d "~ DISABLEDXMAXIMIZEDWINDOWEDMODE" /f
  2⤵
  PID:560
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "Priority" /t REG_DWORD /d 3 /f
  2⤵
  PID:1188
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Sound" /v "Beep" /t REG_SZ /d "no" /f
  2⤵
  PID:3124
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1204
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "IdleDisableIdle" /t REG_DWORD /d 1 /f
  2⤵
  PID:3080
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d "90 12 03 80" /f
  2⤵
  PID:884
- C:\Windows\system32\sc.exe
  sc config "SysMain" start= disabled
  2⤵
  PID:4540
- C:\Windows\system32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:5072
- C:\Windows\system32\powercfg.exe
  powercfg -h off
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:3952
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2912
- C:\Windows\system32\sc.exe
  sc config "WSearch" start= disabled
  2⤵
  - Launches sc.exe
  PID:2420
- C:\Windows\system32\sc.exe
  sc stop "WSearch"
  2⤵
  PID:3084
- C:\Windows\system32\powercfg.exe
  powercfg -setactive SCHEME_MIN
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "Composition" /t REG_DWORD /d 0 /f
  2⤵
  PID:2708
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3460
- C:\Windows\system32\sc.exe
  sc config w32time start= disabled
  2⤵
  PID:680
- C:\Windows\system32\sc.exe
  sc stop w32time
  2⤵
  - Launches sc.exe
  PID:4408
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Bluetooth" /v "DisableBluetooth" /t REG_DWORD /d 1 /f
  2⤵
  PID:4456
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "ForegroundFlashCount" /t REG_DWORD /d 0 /f
  2⤵
  PID:2524
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "ScreenSaveTimeOut" /t REG_DWORD /d 0 /f
  2⤵
  PID:2356
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "Disabled" /t REG_DWORD /d 1 /f
  2⤵
  PID:3924
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4908
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d "90 12 03 80" /f
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "LowLatencyMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:380
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4844
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "CursorBlinkRate" /t REG_DWORD /d 0 /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "VisualFXSetting" /t REG_DWORD /d 2 /f
  2⤵
  PID:1612
- C:\Windows\system32\sc.exe
  sc config defragsvc start= disabled
  2⤵
  PID:800
- C:\Windows\system32\sc.exe
  sc stop defragsvc
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_DWORD /d 0 /f
  2⤵
  PID:1844
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\PowerCfg" /v "USBSelectiveSuspendEnabled" /t REG_DWORD /d 0 /f
  2⤵
  - Power Settings
  PID:4604
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
  2⤵
  PID:4000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Scan" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
  2⤵
  PID:3436
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d 4 /f
  2⤵
  PID:4056
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=normal
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2240
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\CpuPower" /v "PerformanceMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:4044
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformclock true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4600
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4956
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
  2⤵
  PID:1416
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 0 /f
  2⤵
  PID:4412
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4936
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:796
- C:\Windows\system32\sc.exe
  sc config winmgmt start= disabled
  2⤵
  PID:4332
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  PID:2204
- C:\Windows\system32\sc.exe
  sc config remoteregistry start= disabled
  2⤵
  - Launches sc.exe
  PID:5076
- C:\Windows\system32\sc.exe
  sc stop remoteregistry
  2⤵
  PID:720
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global ecncapability=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:384
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\PowerCfg" /v "PowerThrottling" /t REG_DWORD /d 0 /f
  2⤵
  - Power Settings
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\PowerCfg" /v "BackgroundAccessApplications" /t REG_DWORD /d 0 /f
  2⤵
  - Power Settings
  PID:4136
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "EnableEnhancedSecurity" /t REG_DWORD /d 0 /f
  2⤵
  - Modifies Internet Explorer settings
  PID:2020
- C:\Windows\system32\powercfg.exe
  powercfg -setactive SCHEME_MIN
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\system32\net.exe
  net config server /hidden:no
  2⤵
  PID:2168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 config server /hidden:no
    3⤵
    PID:2728
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f
  2⤵
  PID:4660
- C:\Windows\system32\powercfg.exe
  powercfg -change standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\system32\sc.exe
  sc config Schedule start= disabled
  2⤵
  - Launches sc.exe
  PID:3856
- C:\Windows\system32\sc.exe
  sc stop Schedule
  2⤵
  - Launches sc.exe
  PID:1888
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "UseOLEDTaskbarTransparency" /t REG_DWORD /d 0 /f
  2⤵
  PID:868
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f
  2⤵
  PID:4860
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "TcpAckFrequency" /t REG_DWORD /d 1 /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "TcpNoDelay" /t REG_DWORD /d 1 /f
  2⤵
  PID:732
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=normal
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1196
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5004
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4184
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableActionCenter" /t REG_DWORD /d 0 /f
  2⤵
  PID:1620
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "NameServer" /t REG_SZ /d "1.1.1.1, 8.8.8.8" /f
  2⤵
  PID:3240
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global taskoffload=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2564
- C:\Windows\system32\netsh.exe
  netsh interface ipv6 set global disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2660
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d 65534 /f
  2⤵
  PID:5072
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableTcpAcks" /t REG_DWORD /d 1 /f
  2⤵
  PID:3308
- C:\Windows\system32\netsh.exe
  netsh interface teredo set state disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4480
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxPacketSize" /t REG_DWORD /d 1460 /f
  2⤵
  PID:2800
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "DnsCacheTimeout" /t REG_DWORD /d 300 /f
  2⤵
  - System Time Discovery
  PID:2756
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4828
- C:\Windows\system32\sc.exe
  sc config lanmanworkstation start= disabled
  2⤵
  PID:4408
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4456
- C:\Windows\system32\netsh.exe
  netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2524
- C:\Windows\system32\powercfg.exe
  powercfg -change standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\system32\powercfg.exe
  powercfg -change monitor-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\system32\powercfg.exe
  powercfg -change monitor-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\system32\powercfg.exe
  powercfg -change standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global rss=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:380
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2908
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2004
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3596
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:3872
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  - Launches sc.exe
  PID:2520
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:3812
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  - Launches sc.exe
  PID:2688
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:368
- C:\Windows\system32\sc.exe
  sc config "w32time" start= disabled
  2⤵
  PID:4056
- C:\Windows\system32\sc.exe
  sc config "wuauserv" start= disabled
  2⤵
  - Launches sc.exe
  PID:3496
- C:\Windows\system32\sc.exe
  sc config "Netlogon" start= disabled
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t REG_DWORD /d 0 /f
  2⤵
  PID:4108
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
  2⤵
  PID:4600
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global arp=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4956
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:4412
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot" /Disable
  2⤵
  PID:2516
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoDetect" /t REG_DWORD /d 0 /f
  2⤵
  PID:1600
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set dnsservers "Ethernet" static 1.1.1.1
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2260
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 add dnsservers "Ethernet" 8.8.8.8 index=2
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1956
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4948
- C:\Windows\system32\sc.exe
  sc config "SysMain" start= disabled
  2⤵
  PID:4332
- C:\Windows\system32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:3608
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:4984
- C:\Windows\system32\sc.exe
  sc stop Spooler
  2⤵
  - Launches sc.exe
  PID:2880
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "fDenyTSConnections" /t REG_DWORD /d 1 /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableFileSharing" /t REG_DWORD /d 1 /f
  2⤵
  PID:4416
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4516
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set dnsservers "Ethernet" static 8.8.8.8
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2076
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:720
- C:\Windows\system32\sc.exe
  sc stop werSvc
  2⤵
  PID:3468
- C:\Windows\system32\sc.exe
  sc config werSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4860
- C:\Windows\system32\netsh.exe
  netsh int ip reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4724
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
  2⤵
  PID:3128
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Network\WiFi" /v "WiFiSense" /t REG_DWORD /d 0 /f
  2⤵
  PID:4892
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global netsh=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4184
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3240
- C:\Windows\system32\netsh.exe
  netsh interface ip set global metrics=1
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1960
- C:\Windows\system32\sc.exe
  sc stop upnphost
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc config upnphost start= disabled
  2⤵
  - Launches sc.exe
  PID:3952
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "NoWinStore" /t REG_DWORD /d 1 /f
  2⤵
  PID:4884
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global congestionprovider=ctcp
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
  2⤵
  PID:3012
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    3⤵
    PID:2024
- C:\Windows\system32\powercfg.exe
  powercfg -change -monitor-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\system32\powercfg.exe
  powercfg -change -monitor-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\system32\powercfg.exe
  powercfg -change -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\system32\powercfg.exe
  powercfg -change -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\system32\powercfg.exe
  powercfg -setactive scheme_max
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_display brightness 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_display brightness 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_disk disk_idle 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_disk idle_time 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_disk idle_time 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_video adaptive_display 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_display brightness 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_display brightness 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_hybrid sleep 0
  2⤵
  - Power Settings
  PID:4412
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0
  2⤵
  - Power Settings
  PID:4936
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0
  2⤵
  - Power Settings
  PID:4444
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0
  2⤵
  - Power Settings
  PID:3904
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0
  2⤵
  - Power Settings
  PID:2344
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0
  2⤵
  - Power Settings
  PID:2652
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100
  2⤵
  - Power Settings
  PID:688
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100
  2⤵
  - Power Settings
  PID:4452
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0
  2⤵
  - Power Settings
  PID:1500
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0
  2⤵
  - Power Settings
  PID:1696
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_dvd video_speed 100
  2⤵
  - Power Settings
  PID:4948
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100
  2⤵
  - Power Settings
  PID:4332
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_system cooling_policy 1
  2⤵
  - Power Settings
  PID:3608
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1
  2⤵
  - Power Settings
  PID:4984
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1
  2⤵
  - Power Settings
  PID:2880
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1
  2⤵
  - Power Settings
  PID:2212
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_memory standby_policy 1
  2⤵
  - Power Settings
  PID:3444
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1
  2⤵
  - Power Settings
  PID:4740
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_system cpu_core 100
  2⤵
  - Power Settings
  PID:4448
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_system cpu_core 100
  2⤵
  PID:1704
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex scheme_max sub_processor clock_speed 100
  2⤵
  - Power Settings
  PID:4416
- C:\Windows\system32\powercfg.exe
  powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100
  2⤵
  - Power Settings
  PID:4516
- C:\Windows\system32\powercfg.exe
  powercfg -h off
  2⤵
  PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
  2⤵
  PID:4092
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    3⤵
    PID:5060
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "GameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2496
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_ScreenshotShortcutEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:580
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2020
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:5104
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "TcpNoDelay" /t REG_DWORD /d 1 /f
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "LowLatencyMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:1004
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Path\To\Fortnite.exe" /t REG_SZ /d "~ DISABLEDXMAXIMIZEDWINDOWEDMODE" /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "Priority" /t REG_DWORD /d 3 /f
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4660
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Sound" /v "Beep" /t REG_SZ /d "no" /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4860
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "IdleDisableIdle" /t REG_DWORD /d 1 /f
  2⤵
  PID:4440
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d "90 12 03 80" /f
  2⤵
  PID:4628
- C:\Windows\system32\sc.exe
  sc config "SysMain" start= disabled
  2⤵
  - Launches sc.exe
  PID:3144
- C:\Windows\system32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:4220
- C:\Windows\system32\powercfg.exe
  powercfg -h off
  2⤵
  - Power Settings
  PID:3016
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:5108
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3128
- C:\Windows\system32\sc.exe
  sc config "WSearch" start= disabled
  2⤵
  PID:1556
- C:\Windows\system32\sc.exe
  sc stop "WSearch"
  2⤵
  PID:1620
- C:\Windows\system32\powercfg.exe
  powercfg -setactive SCHEME_MIN
  2⤵
  - Power Settings
  PID:1188
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "Composition" /t REG_DWORD /d 0 /f
  2⤵
  PID:4232
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4620
- C:\Windows\system32\sc.exe
  sc config w32time start= disabled
  2⤵
  - Launches sc.exe
  PID:3304
- C:\Windows\system32\sc.exe
  sc stop w32time
  2⤵
  - Launches sc.exe
  PID:2504
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Bluetooth" /v "DisableBluetooth" /t REG_DWORD /d 1 /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "ForegroundFlashCount" /t REG_DWORD /d 0 /f
  2⤵
  PID:5072
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "ScreenSaveTimeOut" /t REG_DWORD /d 0 /f
  2⤵
  PID:3952
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "Disabled" /t REG_DWORD /d 1 /f
  2⤵
  PID:4884
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4840
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d "90 12 03 80" /f
  2⤵
  PID:3936
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "LowLatencyMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "CursorBlinkRate" /t REG_DWORD /d 0 /f
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "VisualFXSetting" /t REG_DWORD /d 2 /f
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config defragsvc start= disabled
  2⤵
  PID:3156
- C:\Windows\system32\sc.exe
  sc stop defragsvc
  2⤵
  - Launches sc.exe
  PID:3940
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_DWORD /d 0 /f
  2⤵
  PID:3460
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\PowerCfg" /v "USBSelectiveSuspendEnabled" /t REG_DWORD /d 0 /f
  2⤵
  - Power Settings
  PID:1284
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
  2⤵
  PID:4504
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Scan" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d 4 /f
  2⤵
  PID:764
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=normal
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2568
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\CpuPower" /v "PerformanceMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:2524
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformclock true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1456
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:888
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
  2⤵
  PID:3384
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 0 /f
  2⤵
  PID:4864
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=disabled
  2⤵
  PID:1492
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:4316
- C:\Windows\system32\sc.exe
  sc config winmgmt start= disabled
  2⤵
  - Launches sc.exe
  PID:3596
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:4556
- C:\Windows\system32\sc.exe
  sc config remoteregistry start= disabled
  2⤵
  PID:3784
- C:\Windows\system32\sc.exe
  sc stop remoteregistry
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global ecncapability=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:368
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\PowerCfg" /v "PowerThrottling" /t REG_DWORD /d 0 /f
  2⤵
  - Power Settings
  PID:3376
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\PowerCfg" /v "BackgroundAccessApplications" /t REG_DWORD /d 0 /f
  2⤵
  PID:4044
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "EnableEnhancedSecurity" /t REG_DWORD /d 0 /f
  2⤵
  - Modifies Internet Explorer settings
  PID:4108
- C:\Windows\system32\powercfg.exe
  powercfg -setactive SCHEME_MIN
  2⤵
  - Power Settings
  PID:1496
- C:\Windows\system32\net.exe
  net config server /hidden:no
  2⤵
  PID:1416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 config server /hidden:no
    3⤵
    PID:388
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f
  2⤵
  PID:4956
- C:\Windows\system32\powercfg.exe
  powercfg -change standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4392
- C:\Windows\system32\sc.exe
  sc config Schedule start= disabled
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc stop Schedule
  2⤵
  - Launches sc.exe
  PID:1904
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "UseOLEDTaskbarTransparency" /t REG_DWORD /d 0 /f
  2⤵
  PID:4460
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f
  2⤵
  PID:4104
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "TcpAckFrequency" /t REG_DWORD /d 1 /f
  2⤵
  PID:2260
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "TcpNoDelay" /t REG_DWORD /d 1 /f
  2⤵
  PID:1648
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=normal
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3996
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1628
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1956
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableActionCenter" /t REG_DWORD /d 0 /f
  2⤵
  PID:2204
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "NameServer" /t REG_SZ /d "1.1.1.1, 8.8.8.8" /f
  2⤵
  PID:3608
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global taskoffload=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5052
- C:\Windows\system32\netsh.exe
  netsh interface ipv6 set global disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2372
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d 65534 /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableTcpAcks" /t REG_DWORD /d 1 /f
  2⤵
  PID:4448
- C:\Windows\system32\netsh.exe
  netsh interface teredo set state disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1704
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxPacketSize" /t REG_DWORD /d 1460 /f
  2⤵
  PID:4516
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "DnsCacheTimeout" /t REG_DWORD /d 300 /f
  2⤵
  - System Time Discovery
  PID:2500
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4580
- C:\Windows\system32\sc.exe
  sc config lanmanworkstation start= disabled
  2⤵
  - Launches sc.exe
  PID:4092
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:3564
- C:\Windows\system32\netsh.exe
  netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2892
- C:\Windows\system32\powercfg.exe
  powercfg -change standby-timeout-ac 0
  2⤵
  PID:4260
- C:\Windows\system32\powercfg.exe
  powercfg -change monitor-timeout-ac 0
  2⤵
  - Power Settings
  PID:1136
- C:\Windows\system32\powercfg.exe
  powercfg -change monitor-timeout-dc 0
  2⤵
  PID:4536
- C:\Windows\system32\powercfg.exe
  powercfg -change standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1348
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global rss=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1424
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
  2⤵
  PID:456
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1316
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2124
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:32
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  - Launches sc.exe
  PID:3008
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  - Launches sc.exe
  PID:4628
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:4220
- C:\Windows\system32\sc.exe
  sc config "w32time" start= disabled
  2⤵
  PID:4732
- C:\Windows\system32\sc.exe
  sc config "wuauserv" start= disabled
  2⤵
  PID:3360
- C:\Windows\system32\sc.exe
  sc config "Netlogon" start= disabled
  2⤵
  PID:3128
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t REG_DWORD /d 0 /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
  2⤵
  PID:4184
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
  2⤵
  PID:4644
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global arp=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1204
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:4820
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot" /Disable
  2⤵
  PID:3244
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoDetect" /t REG_DWORD /d 0 /f
  2⤵
  PID:2668
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set dnsservers "Ethernet" static 1.1.1.1
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4664
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 add dnsservers "Ethernet" 8.8.8.8 index=2
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2024
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4480
- C:\Windows\system32\sc.exe
  sc config "SysMain" start= disabled
  2⤵
  PID:2756
- C:\Windows\system32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:1484
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  - Launches sc.exe
  PID:4508
- C:\Windows\system32\sc.exe
  sc stop Spooler
  2⤵
  - Launches sc.exe
  PID:4504
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "fDenyTSConnections" /t REG_DWORD /d 1 /f
  2⤵
  PID:4408
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableFileSharing" /t REG_DWORD /d 1 /f
  2⤵
  PID:1180
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:748
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set dnsservers "Ethernet" static 8.8.8.8
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3084
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
  2⤵
  PID:4864
- C:\Windows\system32\sc.exe
  sc stop werSvc
  2⤵
  PID:1492
- C:\Windows\system32\sc.exe
  sc config werSvc start= disabled
  2⤵
  PID:1964
- C:\Windows\system32\netsh.exe
  netsh int ip reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1844
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
  2⤵
  PID:4000
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Network\WiFi" /v "WiFiSense" /t REG_DWORD /d 0 /f
  2⤵
  PID:3784
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global netsh=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2620
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:368
- C:\Windows\system32\netsh.exe
  netsh interface ip set global metrics=1
  2⤵
  PID:3292
- C:\Windows\system32\sc.exe
  sc stop upnphost
  2⤵
  PID:2296
- C:\Windows\system32\sc.exe
  sc config upnphost start= disabled
  2⤵
  - Launches sc.exe
  PID:1208
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "NoWinStore" /t REG_DWORD /d 1 /f
  2⤵
  PID:2516
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global congestionprovider=ctcp
  2⤵
  PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
  2⤵
  PID:1600
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    3⤵
    PID:1904
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "Priority" /t REG_DWORD /d 3 /f
  2⤵
  PID:2936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2172
- C:\Windows\system32\powercfg.exe
  powercfg /change standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1956
- C:\Windows\system32\powercfg.exe
  powercfg /s SCHEME_MIN
  2⤵
  - Power Settings
  PID:2140
- C:\Windows\system32\sc.exe
  sc config "SysMain" start= disabled
  2⤵
  - Launches sc.exe
  PID:4308
- C:\Windows\system32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4320
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MaxFrames" /t REG_DWORD /d 1 /f
  2⤵
  PID:4848
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "Win32PrioritySeparation" /t REG_DWORD /d 2 /f
  2⤵
  PID:3404
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:2924
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:4416
- C:\Windows\system32\powercfg.exe
  powercfg -change -monitor-timeout-ac 0
  2⤵
  - Power Settings
  PID:2084
- C:\Windows\system32\powercfg.exe
  powercfg -change -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2060
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "ForegroundFlashCount" /t REG_SZ /d "0" /f
  2⤵
  PID:1216
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:2680
- C:\Windows\system32\powercfg.exe
  powercfg /change standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1012
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "LFocus" /t REG_DWORD /d 0 /f
  2⤵
  PID:2120
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_DWORD /d 1 /f
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "LowPowerMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:1328
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DesktopBoost" /t REG_DWORD /d 1 /f
  2⤵
  PID:2892
- C:\Windows\system32\sc.exe
  sc config "wuauserv" start= disabled
  2⤵
  - Launches sc.exe
  PID:216
- C:\Windows\system32\sc.exe
  sc stop "wuauserv"
  2⤵
  PID:2996
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableThumbnailCache" /t REG_DWORD /d 1 /f
  2⤵
  PID:2044
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ExtendedUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:1004
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "SnapToDefaultButton" /t REG_DWORD /d 1 /f
  2⤵
  PID:720
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DontUseHardwareAcceleration" /t REG_DWORD /d 1 /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DisableCursorBlinking" /t REG_DWORD /d 1 /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "LowPowerMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:1200
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:868
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:2648
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 1 /f
  2⤵
  PID:4628
- C:\Windows\system32\sc.exe
  sc config "Print Spooler" start= disabled
  2⤵
  - Launches sc.exe
  PID:3016
- C:\Windows\system32\sc.exe
  sc stop "Print Spooler"
  2⤵
  - Launches sc.exe
  PID:5108
- C:\Windows\system32\sc.exe
  sc config "RemoteRegistry" start= disabled
  2⤵
  PID:4892
- C:\Windows\system32\sc.exe
  sc stop "RemoteRegistry"
  2⤵
  - Launches sc.exe
  PID:3976
- C:\Windows\system32\sc.exe
  sc config "Superfetch" start= disabled
  2⤵
  - Launches sc.exe
  PID:1556
- C:\Windows\system32\sc.exe
  sc stop "Superfetch"
  2⤵
  PID:4980
- C:\Windows\system32\sc.exe
  sc config "Windows Search" start= disabled
  2⤵
  - Launches sc.exe
  PID:4232
- C:\Windows\system32\sc.exe
  sc stop "Windows Search"
  2⤵
  - Launches sc.exe
  PID:2660
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableTaskbarTransparency" /t REG_DWORD /d 1 /f
  2⤵
  PID:4620
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NoAnimations" /t REG_DWORD /d 1 /f
  2⤵
  PID:1204
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d 1 /f
  2⤵
  PID:4820
- C:\Windows\system32\sc.exe
  sc config "WMPNetworkSvc" start= disabled
  2⤵
  PID:3244
- C:\Windows\system32\sc.exe
  sc stop "WMPNetworkSvc"
  2⤵
  - Launches sc.exe
  PID:2668
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DisableSleep" /t REG_DWORD /d 1 /f
  2⤵
  PID:5064
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d 1 /f
  2⤵
  PID:4884
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:4328
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MaxFrames" /t REG_DWORD /d 1 /f
  2⤵
  PID:1460
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "Win32PrioritySeparation" /t REG_DWORD /d 2 /f
  2⤵
  PID:5068
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "Background" /t REG_DWORD /d 1 /f
  2⤵
  PID:876
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DisableAero" /t REG_DWORD /d 1 /f
  2⤵
  PID:3648
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "UseDWM" /t REG_DWORD /d 0 /f
  2⤵
  PID:2024
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableVisualStyles" /t REG_DWORD /d 1 /f
  2⤵
  PID:4480
- C:\Windows\system32\sc.exe
  sc config "BthServ" start= disabled
  2⤵
  PID:1284
- C:\Windows\system32\sc.exe
  sc stop "BthServ"
  2⤵
  - Launches sc.exe
  PID:1484
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DisableAeroPeek" /t REG_DWORD /d 1 /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DisableHardwareAcceleration" /t REG_DWORD /d 1 /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableContent" /t REG_DWORD /d 1 /f
  2⤵
  PID:764
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableThumbnailCache" /t REG_DWORD /d 1 /f
  2⤵
  PID:2912
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NoSaveSettings" /t REG_DWORD /d 1 /f
  2⤵
  PID:3416
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NoStartMenuPinning" /t REG_DWORD /d 1 /f
  2⤵
  PID:3384
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "NoAnimate" /t REG_DWORD /d 1 /f
  2⤵
  PID:888
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DisableFontSmoothing" /t REG_DWORD /d 1 /f
  2⤵
  PID:1456
- C:\Windows\system32\sc.exe
  sc config "wscsvc" start= disabled
  2⤵
  PID:3924
- C:\Windows\system32\sc.exe
  sc stop "wscsvc"
  2⤵
  PID:2940
- C:\Windows\system32\sc.exe
  sc config "Winmgmt" start= disabled
  2⤵
  PID:3084
- C:\Windows\system32\sc.exe
  sc stop "Winmgmt"
  2⤵
  - Launches sc.exe
  PID:3844
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NoAnimations" /t REG_DWORD /d 1 /f
  2⤵
  PID:2284
- C:\Windows\system32\sc.exe
  sc config "Bluetooth" start= disabled
  2⤵
  PID:2004
- C:\Windows\system32\sc.exe
  sc stop "Bluetooth"
  2⤵
  - Launches sc.exe
  PID:4864
- C:\Windows\system32\sc.exe
  sc config "Bluetooth Support Service" start= disabled
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\system32\sc.exe
  sc stop "Bluetooth Support Service"
  2⤵
  PID:4316
- C:\Windows\system32\sc.exe
  sc config "Windows Defender" start= disabled
  2⤵
  PID:4556
- C:\Windows\system32\sc.exe
  sc stop "Windows Defender"
  2⤵
  - Launches sc.exe
  PID:4000
- C:\Windows\system32\sc.exe
  sc config "BthHfConfig" start= disabled
  2⤵
  PID:3812
- C:\Windows\system32\sc.exe
  sc stop "BthHfConfig"
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc config "WSearch" start= disabled
  2⤵
  PID:3496
- C:\Windows\system32\sc.exe
  sc stop "WSearch"
  2⤵
  PID:4056
- C:\Windows\system32\sc.exe
  sc config "Srv2" start= disabled
  2⤵
  - Launches sc.exe
  PID:3376
- C:\Windows\system32\sc.exe
  sc stop "Srv2"
  2⤵
  - Launches sc.exe
  PID:1988
- C:\Windows\system32\sc.exe
  sc config "SharedAccess" start= disabled
  2⤵
  - Launches sc.exe
  PID:368
- C:\Windows\system32\sc.exe
  sc stop "SharedAccess"
  2⤵
  PID:4108
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d 0 /f
  2⤵
  PID:1496
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableAutoTray" /t REG_DWORD /d 0 /f
  2⤵
  PID:2296
- C:\Windows\system32\sc.exe
  sc config "wuauserv" start= disabled
  2⤵
  PID:1708
- C:\Windows\system32\sc.exe
  sc stop "wuauserv"
  2⤵
  PID:2516
- C:\Windows\system32\sc.exe
  sc config "Windows Update" start= disabled
  2⤵
  - Launches sc.exe
  PID:4600
- C:\Windows\system32\sc.exe
  sc stop "Windows Update"
  2⤵
  PID:3644
- C:\Windows\system32\sc.exe
  sc config "Remote Desktop" start= disabled
  2⤵
  PID:1416
- C:\Windows\system32\sc.exe
  sc stop "Remote Desktop"
  2⤵
  - Launches sc.exe
  PID:4024
- C:\Windows\system32\sc.exe
  sc config "Sysmon" start= disabled
  2⤵
  PID:1904
- C:\Windows\system32\sc.exe
  sc stop "Sysmon"
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DisableAppBackground" /t REG_DWORD /d 1 /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "NoShadow" /t REG_DWORD /d 1 /f
  2⤵
  PID:1436
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:512
- C:\Windows\system32\sc.exe
  sc config "dcomlaunch" start= disabled
  2⤵
  PID:3100
- C:\Windows\system32\sc.exe
  sc stop "dcomlaunch"
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:2288
- C:\Windows\system32\sc.exe
  sc config "SecurityCenter" start= disabled
  2⤵
  PID:4240
- C:\Windows\system32\sc.exe
  sc stop "SecurityCenter"
  2⤵
  PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
  2⤵
  PID:2744
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    3⤵
    PID:3964
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "CrashDumpEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4372
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DumpFile" /t REG_SZ /d "" /f
  2⤵
  PID:688
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:4472
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:3484
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:1956
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d 9001000000000000 /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f
  2⤵
  PID:2364
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /t REG_SZ /d "" /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneNote" /t REG_SZ /d "" /f
  2⤵
  PID:4088
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4672
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4736
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
  2⤵
  PID:2760
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MemoryManagement" /v "PhysicalMemorySize" /t REG_DWORD /d 0xFFFFFFFF /f
  2⤵
  PID:2496
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DumpFile" /t REG_SZ /d "" /f
  2⤵
  PID:384
- C:\Windows\system32\sc.exe
  sc stop "RemoteRegistry"
  2⤵
  PID:4144
- C:\Windows\system32\sc.exe
  sc config "RemoteRegistry" start= disabled
  2⤵
  - Launches sc.exe
  PID:1652
- C:\Windows\system32\sc.exe
  sc stop "Fax"
  2⤵
  PID:4260
- C:\Windows\system32\sc.exe
  sc config "Fax" start= disabled
  2⤵
  - Launches sc.exe
  PID:2892
- C:\Windows\system32\sc.exe
  sc stop "BluetoothSupportService"
  2⤵
  - Launches sc.exe
  PID:216
- C:\Windows\system32\sc.exe
  sc config "BluetoothSupportService" start= disabled
  2⤵
  - Launches sc.exe
  PID:2996
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d 26 /f
  2⤵
  PID:4020
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d 1 /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d 1 /f
  2⤵
  PID:2804
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "RAMCleaner" /tr "cmd /c echo off > C:\Windows\System32\cleanmgr.exe" /sc once /st 00:00
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2156
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MaxNumberOfTasks" /t REG_DWORD /d 25 /f
  2⤵
  PID:456
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "FontSmoothing" /t REG_DWORD /d 0 /f
  2⤵
  PID:4860
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 0 /f
  2⤵
  PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
  2⤵
  PID:4440
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    3⤵
    PID:3008
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "TcpAckFrequency" /t REG_DWORD /d 1 /f
  2⤵
  PID:4628
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "TcpNoDelay" /t REG_DWORD /d 1 /f
  2⤵
  PID:3016
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=normal
  2⤵
  PID:4720
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=disabled
  2⤵
  PID:4184
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableActionCenter" /t REG_DWORD /d 0 /f
  2⤵
  PID:4620
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "NameServer" /t REG_SZ /d "1.1.1.1, 8.8.8.8" /f
  2⤵
  PID:1204
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global taskoffload=enabled
  2⤵
  PID:4820
- C:\Windows\system32\netsh.exe
  netsh interface ipv6 set global disabled
  2⤵
  PID:4752
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d 65534 /f
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableTcpAcks" /t REG_DWORD /d 1 /f
  2⤵
  PID:3952
- C:\Windows\system32\netsh.exe
  netsh interface teredo set state disabled
  2⤵
  PID:1916
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxPacketSize" /t REG_DWORD /d 1460 /f
  2⤵
  PID:3868
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "DnsCacheTimeout" /t REG_DWORD /d 300 /f
  2⤵
  - System Time Discovery
  PID:4564
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2388
- C:\Windows\system32\sc.exe
  sc config lanmanworkstation start= disabled
  2⤵
  - Launches sc.exe
  PID:4792
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:2024
- C:\Windows\system32\netsh.exe
  netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disable
  2⤵
  PID:4480
- C:\Windows\system32\powercfg.exe
  powercfg -change standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4504
- C:\Windows\system32\powercfg.exe
  powercfg -change monitor-timeout-ac 0
  2⤵
  - Power Settings
  PID:4408
- C:\Windows\system32\powercfg.exe
  powercfg -change monitor-timeout-dc 0
  2⤵
  PID:1180
- C:\Windows\system32\powercfg.exe
  powercfg -change standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3660
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global rss=enabled
  2⤵
  PID:1464
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
  2⤵
  PID:888
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:452
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3084
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:544
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:2284
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  - Launches sc.exe
  PID:2004
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  - Launches sc.exe
  PID:4864
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\system32\sc.exe
  sc config "w32time" start= disabled
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Windows\system32\sc.exe
  sc config "wuauserv" start= disabled
  2⤵
  - Launches sc.exe
  PID:4464
- C:\Windows\system32\sc.exe
  sc config "Netlogon" start= disabled
  2⤵
  - Launches sc.exe
  PID:3784
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t REG_DWORD /d 0 /f
  2⤵
  PID:2688
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
  2⤵
  PID:3120
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
  2⤵
  PID:4056
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global arp=disabled
  2⤵
  PID:1116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:3860
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot" /Disable
  2⤵
  PID:3616
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoDetect" /t REG_DWORD /d 0 /f
  2⤵
  PID:2296
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set dnsservers "Ethernet" static 1.1.1.1
  2⤵
  PID:3292
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 add dnsservers "Ethernet" 8.8.8.8 index=2
  2⤵
  PID:3160
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:2096
- C:\Windows\system32\sc.exe
  sc config "SysMain" start= disabled
  2⤵
  PID:3164
- C:\Windows\system32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4444
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:3984
- C:\Windows\system32\sc.exe
  sc stop Spooler
  2⤵
  - Launches sc.exe
  PID:3100
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "fDenyTSConnections" /t REG_DWORD /d 1 /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableFileSharing" /t REG_DWORD /d 1 /f
  2⤵
  PID:2288
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1624
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set dnsservers "Ethernet" static 8.8.8.8
  2⤵
  PID:4836
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
  2⤵
  PID:1124
- C:\Windows\system32\sc.exe
  sc stop werSvc
  2⤵
  - Launches sc.exe
  PID:4668
- C:\Windows\system32\sc.exe
  sc config werSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1196
- C:\Windows\system32\netsh.exe
  netsh int ip reset
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
  2⤵
  PID:3932
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Network\WiFi" /v "WiFiSense" /t REG_DWORD /d 0 /f
  2⤵
  PID:4816
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set global netsh=enabled
  2⤵
  PID:2632
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:3316
- C:\Windows\system32\netsh.exe
  netsh interface ip set global metrics=1
  2⤵
  PID:3996
- C:\Windows\system32\sc.exe
  sc stop upnphost
  2⤵
  PID:2356
- C:\Windows\system32\sc.exe
  sc config upnphost start= disabled
  2⤵
  PID:1220
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "NoWinStore" /t REG_DWORD /d 1 /f
  2⤵
  PID:2936
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global congestionprovider=ctcp
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
  2⤵
  PID:2140
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    3⤵
    PID:4320