hxxps://cdn[.]discordapp[.]com/attachments/1248284920476991563/1275734074249711679/Velocity_Tweaking_Utility_deleted_viurs_by_idankalol[.]7z?ex=66c6f771&is=66c5a5f1&hm=25826612028ad1b39f9561a580ce721c55fff796983e748d44f7e15f4df5a09c&

Analysis

max time kernel
295s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1248284920476991563/1275734074249711679/Velocity_Tweaking_Utility_deleted_viurs_by_idankalol.7z?ex=66c6f771&is=66c5a5f1&hm=25826612028ad1b39f9561a580ce721c55fff796983e748d44f7e15f4df5a09c&

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Blocklisted process makes network request 63 IoCs

flow	pid	Process
57	5656	powershell.exe
60	5656	powershell.exe
77	5556	powershell.exe
79	5556	powershell.exe
81	5816	powershell.exe
83	5816	powershell.exe
84	5744	powershell.exe
86	5744	powershell.exe
87	5100	powershell.exe
89	5100	powershell.exe
97	5868	powershell.exe
99	5868	powershell.exe
100	6104	powershell.exe
102	6104	powershell.exe
103	4608	powershell.exe
105	4608	powershell.exe
107	4168	powershell.exe
109	4168	powershell.exe
110	3312	powershell.exe
112	3312	powershell.exe
116	3944	powershell.exe
117	704	powershell.exe
119	704	powershell.exe
120	1752	powershell.exe
122	1752	powershell.exe
123	5276	powershell.exe
125	5276	powershell.exe
128	5868	powershell.exe
130	5868	powershell.exe
131	2072	powershell.exe
133	2072	powershell.exe
134	6096	powershell.exe
136	6096	powershell.exe
137	2204	powershell.exe
139	2204	powershell.exe
141	3312	powershell.exe
143	3312	powershell.exe
144	2408	powershell.exe
146	2408	powershell.exe
147	5272	powershell.exe
149	5272	powershell.exe
150	2648	powershell.exe
152	2648	powershell.exe
153	180	powershell.exe
155	180	powershell.exe
156	3064	powershell.exe
158	3064	powershell.exe
159	1272	powershell.exe
161	1272	powershell.exe
163	6088	powershell.exe
165	6088	powershell.exe
166	5304	powershell.exe
168	5304	powershell.exe
169	4168	powershell.exe
171	4168	powershell.exe
174	2008	powershell.exe
176	2008	powershell.exe
177	3428	powershell.exe
179	3428	powershell.exe
180	1016	powershell.exe
182	1016	powershell.exe
184	3896	Process not Found
186	3896	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5568	powershell.exe
2072	powershell.exe
6096	powershell.exe
2008	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1400	Velocity Tweaking Utility.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Power Settings 1 TTPs 64 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4828	powercfg.exe
3048	Process not Found
2304	powercfg.exe
5764	powercfg.exe
2280	Process not Found
5272	Process not Found
5764	Process not Found
4532	Process not Found
3196	powercfg.exe
1916	Process not Found
4992	Process not Found
2024	Process not Found
5092	Process not Found
1544	Process not Found
5904	powercfg.exe
5768	Process not Found
1828	powercfg.exe
3124	powercfg.exe
64	powercfg.exe
3484	Process not Found
1016	Process not Found
5964	powercfg.exe
1148	powercfg.exe
4988	Process not Found
4640	powercfg.exe
3540	powercfg.exe
6068	Process not Found
968	Process not Found
6032	Process not Found
740	powercfg.exe
1156	powercfg.exe
1512	Process not Found
5800	Process not Found
3216	powercfg.exe
2692	powercfg.exe
5740	powercfg.exe
5700	powercfg.exe
3128	Process not Found
6028	Process not Found
5076	powercfg.exe
1516	powercfg.exe
4472	powercfg.exe
1480	powercfg.exe
4828	Process not Found
4612	Process not Found
964	Process not Found
4484	Process not Found
1492	powercfg.exe
5688	powercfg.exe
672	powercfg.exe
716	Process not Found
5168	Process not Found
5316	powercfg.exe
4560	powercfg.exe
2192	powercfg.exe
4108	Process not Found
380	Process not Found
5700	Process not Found
5980	powercfg.exe
3724	Process not Found
2540	Process not Found
5756	powercfg.exe
1664	Process not Found
4940	Process not Found

Drops file in Windows directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\OldFlyout.bat	powershell.exe
File created	C:\Windows\BloatwareReg.bat	powershell.exe
File created	C:\Windows\DWM.bat	powershell.exe
File created	C:\Windows\All.bat	powershell.exe
File opened for modification	C:\Windows\All.bat	powershell.exe
File opened for modification	C:\Windows\Win32.bat	powershell.exe
File created	C:\Windows\MMCSS.bat	powershell.exe
File created	C:\Windows\Background.bat	powershell.exe
File created	C:\Windows\8GB.bat	powershell.exe
File created	C:\Windows\DisableMemoryCompression.bat	powershell.exe
File opened for modification	C:\Windows\Background.bat	powershell.exe
File opened for modification	C:\Windows\Privacy.bat	powershell.exe
File created	C:\Windows\DisableCortana.bat	powershell.exe
File created	C:\Windows\ExFullScreen.bat	powershell.exe
File created	C:\Windows\BloatwareReg.bat	powershell.exe
File created	C:\Windows\Spectre.bat	powershell.exe
File created	C:\Windows\Services.bat	powershell.exe
File created	C:\Windows\Win32.bat	powershell.exe
File created	C:\Windows\VelocityIntelPCPowerPlan.pow	powershell.exe
File created	C:\Windows\MouseDataQueue.bat	powershell.exe
File created	C:\Windows\Superfetch.bat	powershell.exe
File created	C:\Windows\Maintanence.bat	powershell.exe
File created	C:\Windows\SystemResponsiveness.bat	powershell.exe
File created	C:\Windows\Microcode.bat	powershell.exe
File created	C:\Windows\Mitigations.bat	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File created	C:\Windows\KeyboardDataQueue.bat	powershell.exe
File opened for modification	C:\Windows\GameBar.bat	powershell.exe
File created	C:\Windows\DisableS.bat	powershell.exe
File created	C:\Windows\del.bat	powershell.exe
File opened for modification	C:\Windows\DisableS.bat	powershell.exe
File created	C:\Windows\GameBar.bat	powershell.exe
File created	C:\Windows\Startup.bat	powershell.exe
File created	C:\Windows\NvidiaVelocity.bat	powershell.exe
File opened for modification	C:\Windows\NvidiaVelocity.bat	powershell.exe
File created	C:\Windows\All.bat	Process not Found
File created	C:\Windows\OldFlyout.bat	powershell.exe
File created	C:\Windows\Notifications.bat	powershell.exe
File created	C:\Windows\SD.bat	powershell.exe
File created	C:\Windows\Privacy.bat	powershell.exe

Launches sc.exe 42 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4592	sc.exe
3028	sc.exe
4472	sc.exe
2304	sc.exe
3440	sc.exe
6056	sc.exe
5988	sc.exe
1456	sc.exe
5748	sc.exe
6008	sc.exe
5532	sc.exe
968	sc.exe
4444	sc.exe
4548	sc.exe
5072	sc.exe
5528	sc.exe
5588	sc.exe
4992	sc.exe
5756	sc.exe
6116	sc.exe
1916	sc.exe
5972	sc.exe
2616	sc.exe
5300	sc.exe
5220	sc.exe
2356	sc.exe
5676	sc.exe
5568	sc.exe
6044	sc.exe
6012	sc.exe
4760	sc.exe
880	sc.exe
5248	sc.exe
1720	sc.exe
5444	sc.exe
5980	sc.exe
5636	sc.exe
1352	sc.exe
1148	sc.exe
920	sc.exe
4152	sc.exe
3276	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6096	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	msedge.exe
4812	msedge.exe
5028	msedge.exe
5028	msedge.exe
2916	identity_helper.exe
2916	identity_helper.exe
1396	msedge.exe
1396	msedge.exe
5656	powershell.exe
5656	powershell.exe
5656	powershell.exe
5556	powershell.exe
5556	powershell.exe
5556	powershell.exe
5816	powershell.exe
5816	powershell.exe
5816	powershell.exe
5744	powershell.exe
5744	powershell.exe
5744	powershell.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
5868	powershell.exe
5868	powershell.exe
5868	powershell.exe
6104	powershell.exe
6104	powershell.exe
6104	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
3312	powershell.exe
3312	powershell.exe
3312	powershell.exe
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
704	powershell.exe
704	powershell.exe
704	powershell.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
5276	powershell.exe
5276	powershell.exe
5276	powershell.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
5868	powershell.exe
5868	powershell.exe
5868	powershell.exe
2072	powershell.exe
2072	powershell.exe
2072	powershell.exe
6096	powershell.exe
6096	powershell.exe
6096	powershell.exe
2204	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4692	7zG.exe
Token: 35	4692	7zG.exe
Token: SeSecurityPrivilege	4692	7zG.exe
Token: SeSecurityPrivilege	4692	7zG.exe
Token: SeDebugPrivilege	1400	Velocity Tweaking Utility.exe
Token: SeDebugPrivilege	5656	powershell.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	6104	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	5276	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	6096	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	5568	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	5272	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeIncreaseQuotaPrivilege	540	powershell.exe
Token: SeSecurityPrivilege	540	powershell.exe
Token: SeTakeOwnershipPrivilege	540	powershell.exe
Token: SeLoadDriverPrivilege	540	powershell.exe
Token: SeSystemProfilePrivilege	540	powershell.exe
Token: SeSystemtimePrivilege	540	powershell.exe
Token: SeProfSingleProcessPrivilege	540	powershell.exe
Token: SeIncBasePriorityPrivilege	540	powershell.exe
Token: SeCreatePagefilePrivilege	540	powershell.exe
Token: SeBackupPrivilege	540	powershell.exe
Token: SeRestorePrivilege	540	powershell.exe
Token: SeShutdownPrivilege	540	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeSystemEnvironmentPrivilege	540	powershell.exe
Token: SeRemoteShutdownPrivilege	540	powershell.exe
Token: SeUndockPrivilege	540	powershell.exe
Token: SeManageVolumePrivilege	540	powershell.exe
Token: 33	540	powershell.exe
Token: 34	540	powershell.exe
Token: 35	540	powershell.exe
Token: 36	540	powershell.exe
Token: SeDebugPrivilege	180	powershell.exe
Token: SeIncreaseQuotaPrivilege	6132	WMIC.exe
Token: SeSecurityPrivilege	6132	WMIC.exe
Token: SeTakeOwnershipPrivilege	6132	WMIC.exe
Token: SeLoadDriverPrivilege	6132	WMIC.exe
Token: SeSystemProfilePrivilege	6132	WMIC.exe
Token: SeSystemtimePrivilege	6132	WMIC.exe
Token: SeProfSingleProcessPrivilege	6132	WMIC.exe
Token: SeIncBasePriorityPrivilege	6132	WMIC.exe
Token: SeCreatePagefilePrivilege	6132	WMIC.exe
Token: SeBackupPrivilege	6132	WMIC.exe
Token: SeRestorePrivilege	6132	WMIC.exe
Token: SeShutdownPrivilege	6132	WMIC.exe
Token: SeDebugPrivilege	6132	WMIC.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
4692	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1400	Velocity Tweaking Utility.exe
1400	Velocity Tweaking Utility.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1312	5028	msedge.exe	84
PID 5028 wrote to memory of 1312	5028	msedge.exe	84
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 1872	5028	msedge.exe	86
PID 5028 wrote to memory of 4812	5028	msedge.exe	87
PID 5028 wrote to memory of 4812	5028	msedge.exe	87
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88
PID 5028 wrote to memory of 1252	5028	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1248284920476991563/1275734074249711679/Velocity_Tweaking_Utility_deleted_viurs_by_idankalol.7z?ex=66c6f771&is=66c5a5f1&hm=25826612028ad1b39f9561a580ce721c55fff796983e748d44f7e15f4df5a09c&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c31d46f8,0x7ff8c31d4708,0x7ff8c31d4718
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,3644763837961751763,3480393169289701788,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3540 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4304

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Velocity_Tweaking_Utility_deleted_viurs_by_idankalol\" -spe -an -ai#7zMap10031:164:7zEvent20043
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4692

C:\Users\Admin\Downloads\Velocity_Tweaking_Utility_deleted_viurs_by_idankalol\Velocity Tweaking Utility.exe
"C:\Users\Admin\Downloads\Velocity_Tweaking_Utility_deleted_viurs_by_idankalol\Velocity Tweaking Utility.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Win32.bat" "
    3⤵
    PID:5868
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "40" /f
      4⤵
      PID:5916
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
      4⤵
      PID:5932
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
      4⤵
      PID:5948
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "ConvertibleSlateMode" /t REG_DWORD /d "0" /f
      4⤵
      PID:5964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\OldFlyout.bat" "
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseWin32BatteryFlyout" /t REG_DWORD /d "1" /f
      4⤵
      PID:2432
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network" /v "ReplaceVan" /t REG_DWORD /d "2" /f
      4⤵
      PID:3636
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\MTCUVC" /v "EnableMtcUvc" /t REG_DWORD /d "0" /f
      4⤵
      PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Background.bat" "
    3⤵
    PID:6080
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
      4⤵
      PID:6056
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
      4⤵
      PID:6060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\GameBar.bat" "
    3⤵
    PID:528
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f
      4⤵
      PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Privacy.bat" "
    3⤵
    PID:2356
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
      4⤵
      PID:5956
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
      4⤵
      PID:5572
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v "StartMenu_Start_Time" /t REG_BINARY /d "0DB474C61FFDD601" /f
      4⤵
      PID:6016
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
      4⤵
      PID:4252
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:6008
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
      4⤵
      PID:4644
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Punctuation Input" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5868
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Inline Candidate Swtch" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5736
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Warning Beep Feedback" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5792
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Left Shift Usage" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5680
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Right Shift Usage" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5828
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Default Input Mode" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5688
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "UI Font Setting" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:4928
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Output Big5 Only" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5504
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Include Extension A Characters" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:1484
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Include Extension B Characters" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5920
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Allow CNS Input Sequence" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5800
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Include HKSCS Characters" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5580
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Show Ballon UI" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:1072
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Show Phrase Input Ballon UI" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:4640
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Phrase Editor Main Sort Type" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5608
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Phrase Editor Self Learn Sort Type" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:6100
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "UI language" /t REG_SZ /d "0xffffffff" /f
      4⤵
      PID:5164
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Custom Keyboard Layout" /t REG_BINARY /d "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
      4⤵
      PID:884
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fuzzy Pairs" /t REG_BINARY /d "000000001002000005310000000000000000000000000000000000000000000000000000000000000000063100000000000000000000000000000000000000000000000000000000000000000F310000000000000000000000000000000000000000000000000000000000000000083100000000000000000000000000000000000000000000000000000000000000000F312831000000000000000000000000000000000000000000000000000000000000083100300000000000000000000000000000000000000000000000000000000000000F3128310000000000000000000000000000000000000000000000000000000000000F3100300000000000000000000000000000000000000000000000000000000000000D3100000000000000000000000000000000000000000000000000000000000000000E3100000000000000000000000000000000000000000000000000000000000000000B3100000000000000000000000000000000000000000000000000000000000000000C3100000000000000000000000000000000000000000000000000000000000000000C31000000000000000000000000000000000000000000000000000000000000000016310000000000000000000000000000000000000000000000000000000000000000163100000000000000000000000000000000000000000000000000000000000000000B31000000000000000000000000000000000000000000000000000000000000000013310000000000000000000000000000000000000000000000000000000000000000173100000000000000000000000000000000000000000000000000000000000000001431000000000000000000000000000000000000000000000000000000000000000018310000000000000000000000000000000000000000000000000000000000000000153100000000000000000000000000000000000000000000000000000000000000001931000000000000000000000000000000000000000000000000000000000000000027310000000000000000000000000000000000000000000000000000000000000000293100000000000000000000000000000000000000000000000000000000000000001B3100000000000000000000000000000000000000000000000000000000000000001C3100000000000000000000000000000000000000000000000000000000000000001D3100000000000000000000000000000000000000000000000000000000000000001F310000000000000000000000000000000000000000000000000000000000000000233100000000000000000000000000000000000000000000000000000000000000002531000000000000000000000000000000000000000000000000000000000000000022310000000000000000000000000000000000000000000000000000000000000000243100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
      4⤵
      PID:6116
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Reserved Words" /t REG_BINARY /d "0700000001000000010000000100000001000000010000002F002F0000000000000000000000000000000000000000000000660069006C00650000000000000000000000000000000000000068007400740070000000000000000000000000000000000000006D00610069006C0074006F0000000000000000000000000000006E00650077007300000000000000000000000000000000000000770069006E0064006F0077007300000000000000000000000000770077007700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000010000000100000001000000010000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
      4⤵
      PID:6108
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Plugin Lexicon" /t REG_BINARY /d "00000000000000000000000000000000" /f
      4⤵
      PID:6080
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Intelligent Auto Input Switch" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:6088
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Auto Input Switch" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:1588
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Sentence-Final Conversion" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5692
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Punctuation Auto Finalize" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:2312
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Input Status Feedback" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:6044
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Leading Key Setting" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:6076
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Fuzzy Input" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5856
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Z Key as Wildcard" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5308
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Use ESC to Finalize" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:2516
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable New Phrase Learning" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5764
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Personal Regulating" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5004
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fixed Candidate Order.New Phonetic" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:3236
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fixed Candidate Order.New Changjie" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5840
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fixed Candidate Order.New Quick" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:2072
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fixed Candidate Order.Cantonese" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:1752
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable User Defined Phrases" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5676
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Prompt Associate Phrase.Phonetic" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:1532
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Prompt Associate Phrase.Changjie" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:1828
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Prompt Associate Phrase.Quick" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5444
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Prompt Associate Phrase.Intelligent" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:528
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Simplified Chinese Output" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5652
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Toneless Input" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:392
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Toneless Key" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:3480
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable PhraseInput Key" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:1868
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "SIP Prediction" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:4852
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Toneless Key Setting" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:1888
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Inline Candidate Switch Key Setting" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:5776
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "PhraseInput Key Setting" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:440
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Keyboard Layout Setting.New Phonetic" /t REG_SZ /d "0x00020010" /f
      4⤵
      PID:5288
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Keyboard Layout Setting.Phonetic" /t REG_SZ /d "0x00020010" /f
      4⤵
      PID:5192
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Reading Indication Setting.New Phonetic" /t REG_SZ /d "0x00000000" /f
      4⤵
      PID:5324
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "ConfigMigrated.New Phonetic" /t REG_SZ /d "0x00000001" /f
      4⤵
      PID:1596
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDC Filename.Phonetic" /t REG_SZ /d "TCEUDCPH.TBL" /f
      4⤵
      PID:5328
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDC Filename.ChangJie" /t REG_SZ /d "TCEUDCCJ.TBL" /f
      4⤵
      PID:5260
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDC Filename.Quick" /t REG_SZ /d "TCEUDCCJ.TBL" /f
      4⤵
      PID:5552
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDC Filename.Cantonese" /t REG_SZ /d "TCEUDCCT.TBL" /f
      4⤵
      PID:5584
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDR Filename.Phonetic" /t REG_SZ /d "TCEUDRPH.TBL" /f
      4⤵
      PID:5576
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDR Filename.ChangJie" /t REG_SZ /d "TCEUDRCJ.TBL" /f
      4⤵
      PID:6012
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
      4⤵
      PID:5852
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
      4⤵
      PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Notifications.bat" "
    3⤵
    PID:6072
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
      4⤵
      PID:5128
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
      4⤵
      PID:5156
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "LockScreenToastEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:1148
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:6112
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:6064
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f
      4⤵
      PID:5932
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:6080
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.WindowsStore_8wekyb3d8bbwe!App" /v "Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:6088
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\SD.bat" "
    3⤵
    PID:4152
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1500" /f
      4⤵
      PID:5780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Startup.bat" "
    3⤵
    PID:2616
  - - C:\Windows\system32\reg.exe
      Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
      4⤵
      Adds Run key to start application
      PID:3928
  - - C:\Windows\system32\reg.exe
      Reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f
      4⤵
      Adds Run key to start application
      PID:6008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Superfetch.bat" "
    3⤵
    PID:5704
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Superfetch/Main" /v "Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:3724
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Superfetch/PfApLog" /v "Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:1988
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Superfetch/StoreLog" /v "Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Maintanence.bat" "
    3⤵
    PID:3540
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
      4⤵
      PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\DisableCortana.bat" "
    3⤵
    PID:5820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\SystemResponsiveness.bat" "
    3⤵
    PID:2392
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
      4⤵
      PID:5844
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
      4⤵
      PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\ExFullScreen.bat" "
    3⤵
    PID:5088
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f
      4⤵
      PID:3576
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "GamePanelStartupTipIndex" /t REG_DWORD /d "3" /f
      4⤵
      PID:5512
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "0" /f
      4⤵
      PID:400
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5584
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5528
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5960
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
      4⤵
      PID:1772
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
      4⤵
      PID:5836
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
      4⤵
      PID:5868
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
      4⤵
      PID:3028
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
      4⤵
      PID:1936
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f
      4⤵
      PID:3732
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f
      4⤵
      PID:5200
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:1352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\MMCSS.bat" "
    3⤵
    PID:4444
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
      4⤵
      PID:5228
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
      4⤵
      PID:4480
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:6136
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f
      4⤵
      PID:6100
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:1588
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:4552
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f
      4⤵
      PID:3900
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
      4⤵
      PID:5784
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
      4⤵
      PID:5128
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:6108
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f
      4⤵
      PID:6028
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:5932
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:6080
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f
      4⤵
      PID:1008
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
      4⤵
      PID:3312
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
      4⤵
      PID:5716
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:5656
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f
      4⤵
      PID:5724
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f
      4⤵
      PID:2664
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:2676
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:4976
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:6032
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f
      4⤵
      PID:5848
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
      4⤵
      PID:5684
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:5840
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f
      4⤵
      PID:5912
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:4368
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:5936
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f
      4⤵
      PID:4848
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
      4⤵
      PID:2984
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
      4⤵
      PID:5556
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:4548
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
      4⤵
      PID:1576
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:5760
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:1984
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f
      4⤵
      PID:776
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
      4⤵
      PID:4472
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
      4⤵
      PID:3216
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:5668
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f
      4⤵
      PID:4992
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f
      4⤵
      PID:2528
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:4816
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:5496
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f
      4⤵
      PID:5652
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
      4⤵
      PID:5796
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
      4⤵
      PID:4108
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:4420
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f
      4⤵
      PID:3660
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:1664
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:4808
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f
      4⤵
      PID:440
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f
      4⤵
      PID:2744
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
      4⤵
      PID:6128
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f
      4⤵
      PID:4828
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f
      4⤵
      PID:3576
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f
      4⤵
      PID:5512
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f
      4⤵
      PID:400
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f
      4⤵
      PID:5584
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
      4⤵
      PID:5572
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
      4⤵
      PID:5852
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MMCSS" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:5288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Microcode.bat" "
    3⤵
    PID:3428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/sk72w4b2jy1ske5uxqlvv/NSudoLG.exe?rlkey=y0dmx30mk160imc68pxdi1gi3&dl=1' -OutFile C:\NSudoLG.exe
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/8en9vj2u6hicbkaie5gu2/Del.bat?rlkey=bl2w1wo7398g4q1s36qe8jvoe&dl=1' -OutFile C:\Windows\del.bat
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\BloatwareReg.bat" "
    3⤵
    PID:3128
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\46928bounde.EclipseManager_2.2.4.51_neutral__a5h4egax66k6y /f
      4⤵
      PID:5748
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:5844
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:2516
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4152
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:2276
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.UndockedDevKit_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:1480
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.MicrosoftOfficeHub_17.7909.7600.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4736
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4732
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5728
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5672
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.File\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:3480
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\46928bounde.EclipseManager_2.2.4.51_neutral__a5h4egax66k6y /f
      4⤵
      PID:516
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5864
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5676
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5264
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.UndockedDevKit_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5260
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:5588
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:6008
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5192
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:1272
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.PreInstalledConfigTask\PackageId\Microsoft.MicrosoftOfficeHub_17.7909.7600.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5208
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:5956
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5908
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5576
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4624
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5320
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3772
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.ShareTarget\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:6120
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\46928bounde.EclipseManager_2.2.4.51_neutral__a5h4egax66k6y /f
      4⤵
      PID:6116
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:5112
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.MicrosoftOfficeHub_17.7909.7600.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4940
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5304
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5876
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5312
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:1684
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3840
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5788
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.UndockedDevKit_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3068
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.File\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:672
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\46928bounde.EclipseManager_2.2.4.51_neutral__a5h4egax66k6y /f
      4⤵
      PID:3124
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:4856
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4024
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5972
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5088
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:976
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4760
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5988
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.UndockedDevKit_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5156
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.PreInstalledConfigTask\PackageId\Microsoft.MicrosoftOfficeHub_17.7909.7600.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:6048
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:1328
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4428
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4388
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:6060
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:704
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:6004
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4072
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe /f
      4⤵
      PID:3552
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4824
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:232
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4296
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:6080
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4168
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:3416
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5616
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:388
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:964
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5952
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5392
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:2444
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5432
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.19041.423.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:2536
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:692
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:3908
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4976
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:2360
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:6064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Mitigations.bat" "
    3⤵
    PID:3948
  - - C:\Windows\system32\Dism.exe
      DISM
      4⤵
      Drops file in Windows directory
      PID:216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell Set-ProcessMitigation -System -Disable CFG
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationAuditOptions"
      4⤵
      PID:5776
    - - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationAuditOptions"
        5⤵
        
        PID:2896
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationOptions" /t REG_BINARY /d "222222222222222222222222222222222222222222222222" /f
      4⤵
      PID:1120
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationAuditOptions" /t REG_BINARY /d "222222222222222222222222222222222222222222222222" /f
      4⤵
      PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\BloatwareReg.bat" "
    3⤵
    PID:4828
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\46928bounde.EclipseManager_2.2.4.51_neutral__a5h4egax66k6y /f
      4⤵
      PID:1460
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:2648
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5528
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5960
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5544
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.UndockedDevKit_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:6112
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.MicrosoftOfficeHub_17.7909.7600.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5904
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4444
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5532
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4940
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.File\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:5516
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\46928bounde.EclipseManager_2.2.4.51_neutral__a5h4egax66k6y /f
      4⤵
      PID:5252
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:968
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3932
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5704
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.UndockedDevKit_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3736
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:3068
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:1916
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4592
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3688
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.PreInstalledConfigTask\PackageId\Microsoft.MicrosoftOfficeHub_17.7909.7600.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:6012
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:5596
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3440
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:1596
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3264
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:612
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:1388
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.ShareTarget\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:4600
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\46928bounde.EclipseManager_2.2.4.51_neutral__a5h4egax66k6y /f
      4⤵
      PID:4404
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:4060
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.MicrosoftOfficeHub_17.7909.7600.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5612
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5520
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:704
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:6004
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:6024
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4480
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:6136
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.UndockedDevKit_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:232
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.File\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:4296
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\46928bounde.EclipseManager_2.2.4.51_neutral__a5h4egax66k6y /f
      4⤵
      PID:4916
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:6068
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4628
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:2888
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:388
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:3964
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:964
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5392
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.UndockedDevKit_10.0.19041.423_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:2444
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.PreInstalledConfigTask\PackageId\Microsoft.MicrosoftOfficeHub_17.7909.7600.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:2680
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0 /f
      4⤵
      PID:2536
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:1744
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:5276
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4796
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5268
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:1440
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4260
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe /f
      4⤵
      PID:5128
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:528
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:1552
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:3268
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:3132
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5132
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5920
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5820
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4368
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:2216
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:3544
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:4520
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:6032
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:3760
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameCallableUI_1000.19041.423.0_neutral_neutral_cw5n1h2txyewy /f
      4⤵
      PID:4244
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:2540
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:1924
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5580
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:5296
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe /f
      4⤵
      PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Spectre.bat" "
    3⤵
    PID:2920
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
      4⤵
      PID:3136
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
      4⤵
      PID:4376
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
      4⤵
      PID:2272
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f
      4⤵
      PID:5784
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
      4⤵
      PID:2312
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
      4⤵
      PID:4052
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
      4⤵
      PID:3428
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f
      4⤵
      PID:5912
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
      4⤵
      PID:5700
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
      4⤵
      PID:5712
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
      4⤵
      PID:2352
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f
      4⤵
      PID:4008
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
      4⤵
      PID:3636
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5224
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
      4⤵
      PID:432
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:5264
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
      4⤵
      PID:5324
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
      4⤵
      PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\DisableMemoryCompression.bat" "
    3⤵
    PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell "Disable-MMAgent -MemoryCompression"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\DWM.bat" "
    3⤵
    PID:5872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name="dwm.exe" call setpriority "idle"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6132
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v DesktopHeapLogging /t REG_DWORD /d 0 /f
      4⤵
      PID:1544
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v DwmInputUsesIoCompletionPort /t REG_DWORD /d 0 /f
      4⤵
      PID:5392
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v EnableDwmInputProcessing /t REG_DWORD /d 0 /f
      4⤵
      PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Services.bat" "
    3⤵
    PID:5648
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GoogleChromeElevationService" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:5684
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:2476
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gupdatem" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:856
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3168
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:5848
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:5720
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MozillaMaintenance" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:5828
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /v "Start" /t REG_DWORD /d "3" /f
      4⤵
      PID:5856
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /v "Start" /t REG_DWORD /d "3" /f
      4⤵
      PID:4888
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" /v "Start" /t REG_DWORD /d "3" /f
      4⤵
      PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\MouseDataQueue.bat" "
    3⤵
    PID:4276
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v MouseSensitivity /t REG_SZ /d 10 /f
      4⤵
      PID:1572
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
      4⤵
      PID:3712
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
      4⤵
      PID:5056
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
      4⤵
      PID:3216
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 100 /f
      4⤵
      PID:5144
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v MouseTrails /t REG_SZ /d 0 /f
      4⤵
      PID:3524
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v MouseDelay /t REG_SZ /d 0 /f
      4⤵
      PID:6096
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v MouseAccel /t REG_SZ /d 0 /f
      4⤵
      PID:4384
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v DoubleClickSpeed /t REG_SZ /d 200 /f
      4⤵
      PID:4460
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 0 /f
      4⤵
      PID:5784
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v RawInput /t REG_SZ /d 1 /f
      4⤵
      PID:2404
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v SnapToDefaultButton /t REG_SZ /d 0 /f
      4⤵
      PID:1364
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v ActiveWindowTracking /t REG_DWORD /d 0 /f
      4⤵
      PID:2236
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v CursorSensitivity /t REG_DWORD /d 2710 /f
      4⤵
      PID:5216
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v CursorUpdateInterval /t REG_DWORD /d 1 /f
      4⤵
      PID:3972
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v IRRemoteNavigationDelta /t REG_DWORD /d 1 /f
      4⤵
      PID:5880
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v MouseSynchIn100ns /t REG_DWORD /d 10000000 /f
      4⤵
      PID:4732
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v MouseResolution /t REG_DWORD /d 5 /f
      4⤵
      PID:1664
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v SampleRate /t REG_DWORD /d 400 /f
      4⤵
      PID:5052
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKEY_CURRENT_USER\Control Panel\Mouse" /v SmoothMouseXCurve /f
      4⤵
      PID:4420
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v MouseDataQueueSize /t REG_DWORD /d 40 /f
      4⤵
      PID:5248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\KeyboardDataQueue.bat" "
    3⤵
    PID:4444
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Keyboard" /v KeyboardDelay /t REG_SZ /d 0 /f
      4⤵
      PID:5816
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Keyboard" /v KeyboardSpeed /t REG_SZ /d 0 /f
      4⤵
      PID:672
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_SZ /d 0 /f
      4⤵
      PID:5972
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v KeyboardDataQueueSize /t REG_DWORD /d 40 /f
      4⤵
      PID:976
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_SZ /d 27 /f
      4⤵
      PID:4404
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v DelayBeforeAcceptance /t REG_SZ /d 0 /f
      4⤵
      PID:3124
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v BounceTime /t REG_SZ /d 0 /f
      4⤵
      PID:2616
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Last BounceKey Setting" /t REG_DWORD /d 0 /f
      4⤵
      PID:1596
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Delay" /t REG_DWORD /d 0 /f
      4⤵
      PID:3688
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Repeat" /t REG_DWORD /d 0 /f
      4⤵
      PID:4392
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Wait" /t REG_DWORD /d 0 /f
      4⤵
      PID:540
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v KeyboardDelay /t REG_DWORD /d 0 /f
      4⤵
      PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  PID:5304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\8GB.bat" "
    3⤵
    PID:6132
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "8388608" /f
      4⤵
      PID:692
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "IOPageLockLimit" /t REG_DWORD /d "8388608" /f
      4⤵
      PID:5200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\NvidiaVelocity.bat" "
    3⤵
    PID:5004
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:2720
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:856
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NvTmRep_CrashReport1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:3168
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NvTmRep_CrashReport2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:5848
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NvTmRep_CrashReport3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:5720
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NvTmRep_CrashReport4_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:5828
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:5856
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:4888
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /Disable /TN "NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
      4⤵
      PID:1964
  - - C:\Windows\system32\reg.exe
      reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "perflevelsrc" /t reg_dword /d "0x00002222" /f
      4⤵
      PID:5808
  - - C:\Windows\system32\reg.exe
      reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "powermizerenable" /t reg_dword /d "00000001" /f
      4⤵
      PID:3848
  - - C:\Windows\system32\reg.exe
      reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "powermizerlevel" /t reg_dword /d "00000001" /f
      4⤵
      PID:5236
  - - C:\Windows\system32\reg.exe
      reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "powermizerlevelac" /t reg_dword /d "00000001" /f
      4⤵
      PID:4648
  - - C:\Windows\system32\reg.exe
      reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "enablecoreslowdown" /t reg_dword /d "00000000" /f
      4⤵
      PID:4260
  - - C:\Windows\system32\reg.exe
      reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "enablemclkslowdown" /t reg_dword /d "00000000" /f
      4⤵
      PID:3528
  - - C:\Windows\system32\reg.exe
      reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "enablenvclkslowdown" /t reg_dword /d "00000000" /f
      4⤵
      PID:3132
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption" /t REG_DWORD /d "1" /f
      4⤵
      PID:392
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption" /t REG_DWORD /d "1" /f
      4⤵
      PID:1440
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining" /t REG_DWORD /d "1" /f
      4⤵
      PID:5124
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "RMPcieLinkSpeed" /t REG_DWORD /d "4" /f
      4⤵
      PID:5992
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v "EnableRID61684" /t REG_DWORD /d "1" /f
      4⤵
      PID:4632
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v "EnableGR535" /t REG_DWORD /d "0" /f
      4⤵
      PID:3976
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\NvTray" /v StartOnLogin /t REG_DWORD /d 0 /f
      4⤵
      PID:440
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\NVTweak" /v HideXGpuTrayIcon /t REG_DWORD /d 1 /f
      4⤵
      PID:2664
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\NVTweak" /v Gestalt /t REG_DWORD /d 2 /f
      4⤵
      PID:5608
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\NVTweak" /v DisplayPowerSaving /t REG_DWORD /d 0 /f
      4⤵
      PID:6040
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMHdcpKeyglobZero /t REG_DWORD /d 1 /f
      4⤵
      PID:2104
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D" /v DisableVidMemVBs /t REG_DWORD /d 0 /f
      4⤵
      PID:3472
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\Drivers" /v SoftwareOnly /t REG_DWORD /d 0 /f
      4⤵
      PID:4484
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\ReferenceDevice" /v AllowAsync /t REG_DWORD /d 1 /f
      4⤵
      PID:5776
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw" /v EmulationOnly /t REG_DWORD /d 0 /f
      4⤵
      PID:4104
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\NVTweak" /v DisplayPowerSaving /t REG_DWORD /d 0 /f
      4⤵
      PID:5188
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvlddmkm\FTS" /v EnableGR535 /t REG_DWORD /d 0 /f
      4⤵
      PID:5884
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v VsyncIdleTimeout /t REG_DWORD /d 0 /f
      4⤵
      PID:4252
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v EnablePreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:2312
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyActivelyUsed /t REG_DWORD /d 1 /f
      4⤵
      PID:716
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleLongTime /t REG_DWORD /d 1 /f
      4⤵
      PID:1104
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleMonitorOff /t REG_DWORD /d 1 /f
      4⤵
      PID:380
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleShortTime /t REG_DWORD /d 1 /f
      4⤵
      PID:5740
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleVeryLongTime /t REG_DWORD /d 1 /f
      4⤵
      PID:1772
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleNoContext /t REG_DWORD /d 1 /f
      4⤵
      PID:3972
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceIdle0 /t REG_DWORD /d 1 /f
      4⤵
      PID:5880
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceIdle0MonitorOff /t REG_DWORD /d 1 /f
      4⤵
      PID:3660
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceIdle1 /t REG_DWORD /d 1 /f
      4⤵
      PID:5224
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceIdle1MonitorOff /t REG_DWORD /d 1 /f
      4⤵
      PID:5328
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceMemory /t REG_DWORD /d 1 /f
      4⤵
      PID:384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID| findstr /L "PCI\VEN_"
      4⤵
      PID:3576
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get PNPDeviceID
        5⤵
        
        PID:5072
    - - C:\Windows\system32\findstr.exe
        
        findstr /L "PCI\VEN_"
        5⤵
        
        PID:3604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\ControlSet001\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08" /v "Driver"
      4⤵
      PID:4828
    - - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\ControlSet001\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08" /v "Driver"
        5⤵
        
        PID:5980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo {4d36e968-e325-11ce-bfc1-08002be10318}\0000 | findstr "{"
      4⤵
      PID:3928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo {4d36e968-e325-11ce-bfc1-08002be10318}\0000 "
        5⤵
        
        PID:5676
    - - C:\Windows\system32\findstr.exe
        
        findstr "{"
        5⤵
        
        PID:6008
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMHdcpKeyglobZero" /t REG_DWORD /d "1" /f
      4⤵
      PID:5976
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceNoContext /t REG_DWORD /d 1 /f
      4⤵
      PID:2500
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceNoContextMonitorOff /t REG_DWORD /d 1 /f
      4⤵
      PID:4348
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceMemoryNoContext /t REG_DWORD /d 1 /f
      4⤵
      PID:5748
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceOther /t REG_DWORD /d 1 /f
      4⤵
      PID:5564
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceTimerPeriod /t REG_DWORD /d 1 /f
      4⤵
      PID:5524
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultMemoryRefreshLatencyToleranceActivelyUsed /t REG_DWORD /d 1 /f
      4⤵
      PID:5704
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultMemoryRefreshLatencyToleranceMonitorOff /t REG_DWORD /d 1 /f
      4⤵
      PID:4592
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultMemoryRefreshLatencyToleranceNoContext /t REG_DWORD /d 1 /f
      4⤵
      PID:5444
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v Latency /t REG_DWORD /d 1 /f
      4⤵
      PID:672
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v MaxIAverageGraphicsLatencyInOneBucket /t REG_DWORD /d 1 /f
      4⤵
      PID:5968
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v MiracastPerfTrackGraphicsLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:3028
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v MonitorLatencyTolerance /t REG_DWORD /d 1 /f
      4⤵
      PID:5964
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v MonitorRefreshLatencyTolerance /t REG_DWORD /d 1 /f
      4⤵
      PID:3440
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v TransitionLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:5644
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v UseGpuTimer /t REG_DWORD /d 1 /f
      4⤵
      PID:5988
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RmGpsPsEnablePerCpuCoreDpc /t REG_DWORD /d 1 /f
      4⤵
      PID:5252
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v PowerSavingTweaks /t REG_DWORD /d 0 /f
      4⤵
      PID:5320
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DisableWriteCombining /t REG_DWORD /d 1 /f
      4⤵
      PID:6120
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v EnableRuntimePowerManagement /t REG_DWORD /d 0 /f
      4⤵
      PID:5112
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v PrimaryPushBufferSize /t REG_DWORD /d 1 /f
      4⤵
      PID:3996
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v F1TransitionLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:5300
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v FlTransitionLatency /t REG_DWORD /d 0 /f
      4⤵
      PID:2920
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v D3PCLatency /t REG_DWORD /d 0 /f
      4⤵
      PID:5756
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RMDeepLlEntryLatencyUsec /t REG_DWORD /d 1 /f
      4⤵
      PID:4472
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RMDeepL1EntryLatencyUsec /t REG_DWORD /d 1 /f
      4⤵
      PID:5572
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v PciLatencyTimerControl /t REG_DWORD /d 20 /f
      4⤵
      PID:3924
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v Node3DLowLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:6116
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v LOWLATENCY /t REG_DWORD /d 1 /f
      4⤵
      PID:1480
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RmDisableRegistryCaching /t REG_DWORD /d 1 /f
      4⤵
      PID:1520
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RMDisablePostL2Compression /t REG_DWORD /d 1 /f
      4⤵
      PID:2388
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\MemoryManager" /v DirectFlipMemoryRequirement /t REG_DWORD /d 0 /f
      4⤵
      PID:4612
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:1016
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0001" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:1884
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0002" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:2168
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0003" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:1636
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0004" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:1500
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0005" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:3548
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0006" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:4400
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0007" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:1724
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0008" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:4016
  - - C:\Windows\system32\reg.exe
      Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0009" /v "DisableDynamicPstate" /t REG_DWORD /d "1" /f
      4⤵
      PID:4772
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PerfLevelSrc /t REG_DWORD /d 8738 /f
      4⤵
      PID:5876
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PowerMizerEnable /t REG_DWORD /d 0 /f
      4⤵
      PID:3552
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PowerMizerLevel /t REG_DWORD /d 1 /f
      4⤵
      PID:4480
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PowerMizerLevelAC /t REG_DWORD /d 1 /f
      4⤵
      PID:5916
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v TCCSupported /t REG_DWORD /d 0 /f
      4⤵
      PID:2512
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvlddmkm" /v DisableWriteCombining /t REG_DWORD /d 1 /f
      4⤵
      PID:2648
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Avalon.Graphics" /v DisableHWAcceleration /t REG_DWORD /d 1 /f
      4⤵
      PID:5336
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PreferSystemMemoryContiguous /t REG_DWORD /d 1 /f
      4⤵
      PID:692
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v D3PCLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:5200
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v F1TransitionLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:2444
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v LOWLATENCY /t REG_DWORD /d 1 /f
      4⤵
      PID:5392
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v Node3DLowLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:4604
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PciLatencyTimerControl /t REG_BINARY /d 20 /f
      4⤵
      PID:3964
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMDeepL1EntryLatencyUsec /t REG_DWORD /d 1 /f
      4⤵
      PID:6104
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmGspcMaxFtuS /t REG_DWORD /d 1 /f
      4⤵
      PID:5576
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmGspcMinFtuS /t REG_DWORD /d 1 /f
      4⤵
      PID:3788
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmGspcPerioduS /t REG_DWORD /d 1 /f
      4⤵
      PID:6068
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMLpwrEiIdleThresholdUs /t REG_DWORD /d 1 /f
      4⤵
      PID:1936
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMLpwrGrIdleThresholdUs /t REG_DWORD /d 1 /f
      4⤵
      PID:5540
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMLpwrGrRgIdleThresholdUs /t REG_DWORD /d 1 /f
      4⤵
      PID:2376
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMLpwrMsIdleThresholdUs /t REG_DWORD /d 1 /f
      4⤵
      PID:4988
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v VRDirectFlipDPCDelayUs /t REG_DWORD /d 1 /f
      4⤵
      PID:1892
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v VRDirectFlipTimingMarginUs /t REG_DWORD /d 1 /f
      4⤵
      PID:3732
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v VRDirectJITFlipMsHybridFlipDelayUs /t REG_DWORD /d 1 /f
      4⤵
      PID:4288
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v vrrCursorMarginUs /t REG_DWORD /d 1 /f
      4⤵
      PID:1716
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v vrrDeflickerMarginUs /t REG_DWORD /d 1 /f
      4⤵
      PID:5036
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v vrrDeflickerMaxUs /t REG_DWORD /d 1 /f
      4⤵
      PID:2720
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v NoFastLinkTrainingForeDP /t REG_DWORD /d 0 /f
      4⤵
      PID:5008
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisablePFonDP /t REG_DWORD /d 1 /f
      4⤵
      PID:1924
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v AdaptiveVsyncEnable /t REG_DWORD /d 0 /f
      4⤵
      PID:2060
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v AllowDeepCStates /t REG_DWORD /d 0 /f
      4⤵
      PID:5296
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v BuffersInFlight /t REG_DWORD /d 4096 /f
      4⤵
      PID:2756
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v ComputePreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:5192
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v ComputePreemptionLevel /t REG_DWORD /d 0 /f
      4⤵
      PID:5832
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableAcpPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:2216
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableAllClockGating /t REG_DWORD /d 1 /f
      4⤵
      PID:644
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableAsyncPstates /t REG_DWORD /d 1 /f
      4⤵
      PID:5232
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableBlockWrite /t REG_DWORD /d 0 /f
      4⤵
      PID:3096
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableCpPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:5780
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableCudaContextPreemption /t REG_DWORD /d 1 /f
      4⤵
      PID:1536
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableDMACopy /t REG_DWORD /d 1 /f
      4⤵
      PID:5688
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableDrmdmaPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:2008
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableDynamicPstate /t REG_DWORD /d 1 /f
      4⤵
      PID:5268
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableGDIAcceleration /t REG_DWORD /d 0 /f
      4⤵
      PID:180
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableGDSPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:5900
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableGfxCGPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:4184
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableGfxClockGating /t REG_DWORD /d 1 /f
      4⤵
      PID:5896
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableGFXPipelinePowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:1868
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableGmcPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:3004
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableHdpClockPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:1564
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableHdpMGClockGating /t REG_DWORD /d 1 /f
      4⤵
      PID:1644
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableKmRender /t REG_DWORD /d 0 /f
      4⤵
      PID:3668
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableKmRenderBoost /t REG_DWORD /d 0 /f
      4⤵
      PID:2516
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableOverclockedPstates /t REG_DWORD /d 1 /f
      4⤵
      PID:1492
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisablePowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:3136
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisablePreemption /t REG_DWORD /d 1 /f
      4⤵
      PID:740
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisablePreemptionOnS3S4 /t REG_DWORD /d 1 /f
      4⤵
      PID:5080
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableSamuClockGating /t REG_DWORD /d 1 /f
      4⤵
      PID:6100
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableSysClockGating /t REG_DWORD /d 1 /f
      4⤵
      PID:5792
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableUVDPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:4052
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableVceClockGating /t REG_DWORD /d 1 /f
      4⤵
      PID:3768
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableWriteCombining /t REG_DWORD /d 1 /f
      4⤵
      PID:1360
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableXdmaPowerGating /t REG_DWORD /d 1 /f
      4⤵
      PID:3684
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableXdmaSclkGating /t REG_DWORD /d 1 /f
      4⤵
      PID:3144
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v Disable_OverlayDSQualityEnhancement /t REG_DWORD /d 1 /f
      4⤵
      PID:5712
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DpiMapIommuContiguous /t REG_DWORD /d 1 /f
      4⤵
      PID:4008
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableAggressivePStateBoost /t REG_DWORD /d 1 /f
      4⤵
      PID:4900
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableAggressivePStateOnly /t REG_DWORD /d 1 /f
      4⤵
      PID:5500
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableAsyncMidBufferPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:4808
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableCEPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:4608
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableDirectFlip /t REG_DWORD /d 1 /f
      4⤵
      PID:5324
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableIndependentFlip /t REG_DWORD /d 1 /f
      4⤵
      PID:4468
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableMidBufferPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:1308
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableMidBufferPreemptionForHighTdrTimeout /t REG_DWORD /d 0 /f
      4⤵
      PID:2608
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableMidGfxPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:5556
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableMidGfxPreemptionVGPU /t REG_DWORD /d 0 /f
      4⤵
      PID:3200
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnablePerformanceMode /t REG_DWORD /d 1 /f
      4⤵
      PID:5672
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnablePreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:1080
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableRuntimePowerManagement /t REG_DWORD /d 0 /f
      4⤵
      PID:812
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableSCGMidBufferPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:5308
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableUlps /t REG_DWORD /d 0 /f
      4⤵
      PID:6128
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableVCNPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:3276
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v FlTransitionLatency /t REG_DWORD /d 0 /f
      4⤵
      PID:1156
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v GPUPreemptionLevel /t REG_DWORD /d 0 /f
      4⤵
      PID:4720
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v KMD_EnableComputePreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:5636
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v KMD_EnableGfxMidCmdPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:5532
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v KMD_EnablePreemptionLogging /t REG_DWORD /d 0 /f
      4⤵
      PID:5816
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v KMD_EnableSDMAPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:3992
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v KMD_PreemptionLevelLimit /t REG_DWORD /d 0 /f
      4⤵
      PID:1484
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v MonitorLatencyTolerance /t REG_DWORD /d 1000 /f
      4⤵
      PID:5972
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v MonitorRefreshLatencyTolerance /t REG_DWORD /d 2710 /f
      4⤵
      PID:4404
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PerfAnalyzeMidBufferPreemption /t REG_DWORD /d 0 /f
      4⤵
      PID:3124
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PowerSavingTweaks /t REG_DWORD /d 0 /f
      4⤵
      PID:2616
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PP_SclkDeepSleepDisable /t REG_DWORD /d 1 /f
      4⤵
      PID:1596
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PP_ThermalAutoThrottlingEnable /t REG_DWORD /d 0 /f
      4⤵
      PID:3688
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PrimaryPushBufferSize /t REG_DWORD /d 1 /f
      4⤵
      PID:4392
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmClkPowerOffDramPllWhenUnused /t REG_DWORD /d 0 /f
      4⤵
      PID:540
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMDeepLlEntryLatencyUsec /t REG_DWORD /d 0 /f
      4⤵
      PID:1148
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMDisablePostL2Compression /t REG_DWORD /d 1 /f
      4⤵
      PID:5240
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmDisableRegistryCaching /t REG_DWORD /d 1 /f
      4⤵
      PID:3884
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmFbsrPagedDMA /t REG_DWORD /d 0 /f
      4⤵
      PID:1460
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmGpsPsEnablePerCpuCoreDpc /t REG_DWORD /d 1 /f
      4⤵
      PID:5020
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v StutterMode /t REG_DWORD /d 0 /f
      4⤵
      PID:5668
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v UseGpuTimer /t REG_DWORD /d 1 /f
      4⤵
      PID:5072
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableOverlay /t REG_DWORD /d 1 /f
      4⤵
      PID:5756
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v ENABLE_OCA_LOGGING /t REG_DWORD /d 0 /f
      4⤵
      PID:4472
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PCIEPowerControl /t REG_DWORD /d 0 /f
      4⤵
      PID:5572
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PCIEPowerControl_8086191f50001458 /t REG_DWORD /d 0 /f
      4⤵
      PID:3924
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMClkSlowDown /t REG_DWORD /d 0 /f
      4⤵
      PID:6116
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMDisableGpuASPMFlags /t REG_DWORD /d 1 /f
      4⤵
      PID:1480
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmDisableHdcp22 /t REG_DWORD /d 1 /f
      4⤵
      PID:1520
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMEnableASPMAtLoad /t REG_DWORD /d 0 /f
      4⤵
      PID:2388
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMEnableASPMDT /t REG_DWORD /d 0 /f
      4⤵
      PID:4612
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmMIONoPowerOff /t REG_DWORD /d 1 /f
      4⤵
      PID:1016
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmPerfRatedTdpLimit /t REG_DWORD /d 0 /f
      4⤵
      PID:1884
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMSkipHdcp22Init /t REG_DWORD /d 1 /f
      4⤵
      PID:2168
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmWotHdcpEnable /t REG_DWORD /d 0 /f
      4⤵
      PID:5508
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v F1TransitionLatency /t REG_DWORD /d 0 /f
      4⤵
      PID:4924
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RMDeepL1EntryLatencyUsec /t REG_DWORD /d 0 /f
      4⤵
      PID:1636
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableCoreSlowdown /t REG_DWORD /d 0 /f
      4⤵
      PID:4400
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableMClkSlowdown /t REG_DWORD /d 0 /f
      4⤵
      PID:1724
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableNVClkSlowdown /t REG_DWORD /d 0 /f
      4⤵
      PID:4016
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v RmDisableHwFaultBuffer /t REG_DWORD /d 1 /f
      4⤵
      PID:4772
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v KMD_EnableGDIAcceleration /t REG_DWORD /d 1 /f
      4⤵
      PID:5876
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "Acceleration.Level" /t reg_dword /d "00000000" /f
      4⤵
      PID:3552
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DesktopStereoShortcuts" /t reg_dword /d "00000000" /f
      4⤵
      PID:4480
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableCoprocPowerControl" /t reg_dword /d "00000000" /f
      4⤵
      PID:5916
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableRuntimePowerManagement" /t reg_dword /d "00000000" /f
      4⤵
      PID:964
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableTiledDisplay" /t reg_dword /d "00000000" /f
      4⤵
      PID:2648
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "FeatureControl" /t reg_dword /d "4" /f
      4⤵
      PID:5336
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "NVDeviceSupportKFilter" /t reg_dword /d "00000000" /f
      4⤵
      PID:692
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "PCIEPowerControl" /t reg_dword /d "00000000" /f
      4⤵
      PID:5200
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "PCIEPowerControl_8086590f79961462" /t reg_dword /d "00000000" /f
      4⤵
      PID:2680
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "PCIEPowerControl_8086590f79961462_10de1c828c961462" /t reg_dword /d "00000000" /f
      4⤵
      PID:3724
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmCacheLoc" /t reg_dword /d "00000000" /f
      4⤵
      PID:4604
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmClkPowerOffDramPllWhenUnused" /t reg_dword /d "00000000" /f
      4⤵
      PID:3964
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmDisableHwFaultBuffer" /t reg_dword /d "00000000" /f
      4⤵
      PID:5660
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmDisableInst2Sys" /t reg_dword /d "00000000" /f
      4⤵
      PID:4616
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmFbsrPagedDMA" /t reg_dword /d "1" /f
      4⤵
      PID:6104
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMGpuId" /t reg_dword /d "100" /f
      4⤵
      PID:6068
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmProfilingAdminOnly" /t reg_dword /d "00000000" /f
      4⤵
      PID:1936
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "TCCSupported" /t reg_dword /d "00000000" /f
      4⤵
      PID:5540
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "TrackResetEngine" /t reg_dword /d "00000000" /f
      4⤵
      PID:2376
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "UseBestResolution" /t reg_dword /d "00000000" /f
      4⤵
      PID:4988
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "ValidateBlitSubRects" /t reg_dword /d "1" /f
      4⤵
      PID:1892
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "VgaCompatible" /t reg_dword /d "00000000" /f
      4⤵
      PID:3732
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmFbsrPagedDMA" /t reg_dword /d "00000000" /f
      4⤵
      PID:5680
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmFbsrPagedDMA" /t reg_dword /d "00000000" /f
      4⤵
      PID:1716
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmFbsrPagedDMA" /t reg_dword /d "00000000" /f
      4⤵
      PID:5036
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMElcg" /t reg_dword /d "55555555" /f
      4⤵
      PID:2540
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMBlcg" /t reg_dword /d "11111111" /f
      4⤵
      PID:4048
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMElpg" /t reg_dword /d "FFF" /f
      4⤵
      PID:2720
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMSlcg" /t reg_dword /d "3FFFF" /f
      4⤵
      PID:2060
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMFspg" /t reg_dword /d "F" /f
      4⤵
      PID:5296
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "AllowdGPUPassthrough" /t reg_dword /d "000000000"
      4⤵
      PID:2756
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption" /t reg_dword /d "1"
      4⤵
      PID:116
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe"
  2⤵
  PID:5780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/rqcwfwopqo7hun96iqhbt/VelocityIntelPCPowerPlan.pow?rlkey=0np02hxajgrvd8g78gu48hb21&dl=1' -OutFile C:\Windows\VelocityIntelPCPowerPlan.pow"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Windows directory
    PID:2008
- - C:\Windows\system32\powercfg.exe
    powercfg -import "C:\Windows\VelocityIntelPCPowerPlan.pow" 99999999-9999-9999-9999-999999999999
    3⤵
    - Power Settings
    PID:3216
- - C:\Windows\system32\powercfg.exe
    powercfg -setactive 99999999-9999-9999-9999-999999999999
    3⤵
    PID:5144
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:6096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\DisableS.bat" "
    3⤵
    PID:5956
  - - C:\Windows\system32\sc.exe
      sc.exe config WerSvc start=disabled
      4⤵
      Launches sc.exe
      PID:5248
  - - C:\Windows\system32\sc.exe
      sc.exe config MapsBroker start=disabled
      4⤵
      Launches sc.exe
      PID:5588
  - - C:\Windows\system32\sc.exe
      sc.exe config PcaSvc start=disabled
      4⤵
      Launches sc.exe
      PID:5980
  - - C:\Windows\system32\sc.exe
      sc.exe config Spooler start=disabled
      4⤵
      Launches sc.exe
      PID:2356
  - - C:\Windows\system32\sc.exe
      sc.exe config RemoteRegistry start=disabled
      4⤵
      Launches sc.exe
      PID:5676
  - - C:\Windows\system32\sc.exe
      sc.exe config lmhosts start=disabled
      4⤵
      Launches sc.exe
      PID:6008
  - - C:\Windows\system32\sc.exe
      sc.exe config WerSvc start=disabled
      4⤵
      Launches sc.exe
      PID:2304
  - - C:\Windows\system32\sc.exe
      sc.exe config stisvc start=disabled
      4⤵
      Launches sc.exe
      PID:5568
  - - C:\Windows\system32\sc.exe
      sc.exe config lfsvc start=disabled
      4⤵
      Launches sc.exe
      PID:3276
  - - C:\Windows\system32\sc.exe
      sc.exe config WbioSrvc start=disabled
      4⤵
      Launches sc.exe
      PID:6044
  - - C:\Windows\system32\sc.exe
      sc.exe config WMPNetworkSvc start=disabled
      4⤵
      Launches sc.exe
      PID:5748
  - - C:\Windows\system32\sc.exe
      sc.exe config HvHost start=disabled
      4⤵
      Launches sc.exe
      PID:5220
  - - C:\Windows\system32\sc.exe
      sc.exe config vmickvpexchange start=disabled
      4⤵
      Launches sc.exe
      PID:5636
  - - C:\Windows\system32\sc.exe
      sc.exe config vmicguestinterface start=disabled
      4⤵
      Launches sc.exe
      PID:5532
  - - C:\Windows\system32\sc.exe
      sc.exe config vmicshutdown start=disabled
      4⤵
      Launches sc.exe
      PID:6012
  - - C:\Windows\system32\sc.exe
      sc.exe config vmicheartbeat start=disabled
      4⤵
      Launches sc.exe
      PID:4592
  - - C:\Windows\system32\sc.exe
      sc.exe config vmicvmsession start=disabled
      4⤵
      Launches sc.exe
      PID:5444
  - - C:\Windows\system32\sc.exe
      sc.exe config vmicrdv start=disabled
      4⤵
      Launches sc.exe
      PID:1352
  - - C:\Windows\system32\sc.exe
      sc.exe config vmictimesync start=disabled
      4⤵
      Launches sc.exe
      PID:5972
  - - C:\Windows\system32\sc.exe
      sc.exe config vmicvss start=disabled
      4⤵
      Launches sc.exe
      PID:1916
  - - C:\Windows\system32\sc.exe
      sc.exe config AppVClient start=disabled
      4⤵
      Launches sc.exe
      PID:3028
  - - C:\Windows\system32\sc.exe
      sc.exe config RemoteAccess start=disabled
      4⤵
      Launches sc.exe
      PID:4760
  - - C:\Windows\system32\sc.exe
      sc.exe config SCardSvr start=disabled
      4⤵
      Launches sc.exe
      PID:3440
  - - C:\Windows\system32\sc.exe
      sc.exe config UevAgentService start=disabled
      4⤵
      Launches sc.exe
      PID:2616
  - - C:\Windows\system32\sc.exe
      sc.exe config ALG start=disabled
      4⤵
      Launches sc.exe
      PID:6056
  - - C:\Windows\system32\sc.exe
      sc.exe config PeerDistSvc start=disabled
      4⤵
      Launches sc.exe
      PID:5988
  - - C:\Windows\system32\sc.exe
      sc.exe config WpcMonSvc start=disabled
      4⤵
      Launches sc.exe
      PID:880
  - - C:\Windows\system32\sc.exe
      sc.exe config RpcLocator start=disabled
      4⤵
      Launches sc.exe
      PID:968
  - - C:\Windows\system32\sc.exe
      sc.exe config RetailDemo start=disabled
      4⤵
      Launches sc.exe
      PID:1148
  - - C:\Windows\system32\sc.exe
      sc.exe config ScDeviceEnum start=disabled
      4⤵
      Launches sc.exe
      PID:920
  - - C:\Windows\system32\sc.exe
      sc.exe config SCPolicySvc start=disabled
      4⤵
      Launches sc.exe
      PID:1720
  - - C:\Windows\system32\sc.exe
      sc.exe config FrameServer start=disabled
      4⤵
      Launches sc.exe
      PID:4444
  - - C:\Windows\system32\sc.exe
      sc.exe config SNMPTRAP start=disabled
      4⤵
      Launches sc.exe
      PID:5300
  - - C:\Windows\system32\sc.exe
      sc.exe config wisvc start=disabled
      4⤵
      Launches sc.exe
      PID:4548
  - - C:\Windows\system32\sc.exe
      sc.exe config WinRM start=disabled
      4⤵
      Launches sc.exe
      PID:1456
  - - C:\Windows\system32\sc.exe
      sc.exe config fhsvc start=disabled
      4⤵
      Launches sc.exe
      PID:5072
  - - C:\Windows\system32\sc.exe
      sc.exe config NaturalAuthentication start=disabled
      4⤵
      Launches sc.exe
      PID:5756
  - - C:\Windows\system32\sc.exe
      sc.exe config SessionEnv start=disabled
      4⤵
      Launches sc.exe
      PID:4472
  - - C:\Windows\system32\sc.exe
      sc.exe config TermService start=disabled
      4⤵
      Launches sc.exe
      PID:5528
  - - C:\Windows\system32\sc.exe
      sc.exe config VSS start=disabled
      4⤵
      Launches sc.exe
      PID:4152
  - - C:\Windows\system32\sc.exe
      sc.exe config Wecsvc start=disabled
      4⤵
      Launches sc.exe
      PID:4992
  - - C:\Windows\system32\sc.exe
      sc.exe config spectrum start=disabled
      4⤵
      Launches sc.exe
      PID:6116
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\XtaCache" /v start /t REG_DWORD /d 2 /f
      4⤵
      PID:1396
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v disabledd /t REG_DWORD /d 1 /f
      4⤵
      PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\All.bat" "
    3⤵
    PID:964
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Processor" /v CPPCEnable /t REG_DWORD /d 0 /f
      4⤵
      PID:4876
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Processor" /v AllowPepPerfStates /t REG_DWORD /d 0 /f
      4⤵
      PID:1544
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Processor" /v Capabilities /t REG_DWORD /d 0x0007e066 /f
      4⤵
      PID:404
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Processor" /v Cstates /t REG_DWORD /d 0 /f
      4⤵
      PID:5768
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\ModernSleep" /v CoalescingTimerInterval /t REG_DWORD /d 0 /f
      4⤵
      PID:5544
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power" /v CoalescingTimerInterval /t REG_DWORD /d 0 /f
      4⤵
      PID:5812
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Power" /v CoalescingTimerInterval /t REG_DWORD /d 0 /f
      4⤵
      PID:2408
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management" /v CoalescingTimerInterval /t REG_DWORD /d 0 /f
      4⤵
      PID:5852
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\kernel" /v CoalescingTimerInterval /t REG_DWORD /d 0 /f
      4⤵
      PID:5952
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Executive" /v CoalescingTimerInterval /t REG_DWORD /d 0 /f
      4⤵
      PID:6068
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v CoalescingTimerInterval /t REG_DWORD /d 0 /f
      4⤵
      PID:2764
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v CoalescingTimerInterval /t REG_DWORD /d 0 /f
      4⤵
      PID:3908
  - - C:\Windows\system32\powercfg.exe
      powercfg -h off
      4⤵
      PID:4916
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v ExitLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:5244
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v ExitLatencyCheckEnabled /t REG_DWORD /d 1 /f
      4⤵
      PID:1788
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v Latency /t REG_DWORD /d 1 /f
      4⤵
      PID:3732
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v LatencyToleranceDefault /t REG_DWORD /d 1 /f
      4⤵
      PID:4368
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v LatencyToleranceFSVP /t REG_DWORD /d 1 /f
      4⤵
      PID:4244
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v LatencyTolerancePerfOverride /t REG_DWORD /d 1 /f
      4⤵
      PID:3896
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v LatencyToleranceScreenOffIR /t REG_DWORD /d 1 /f
      4⤵
      PID:2540
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v LatencyToleranceVSyncEnabled /t REG_DWORD /d 1 /f
      4⤵
      PID:4048
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v RtlCapabilityCheckLatency /t REG_DWORD /d 1 /f
      4⤵
      PID:2720
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v PlatformAoAcOverride /t REG_DWORD /d 0 /f
      4⤵
      PID:2060
  - - C:\Windows\system32\powercfg.exe
      powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
      4⤵
      PID:5296
  - - C:\Windows\system32\powercfg.exe
      powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
      4⤵
      PID:2756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings /s /v "Attributes"|findstr HKEY_
      4⤵
      PID:3232
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings /s /v "Attributes"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\findstr.exe
        
        findstr HKEY_
        5⤵
        
        PID:5232
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\0b2d69d7-a2a1-449c-9680-f91c70521c60 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:6060
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\51dea550-bb38-4bc4-991b-eacf37be5ec8 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:408
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\80e3c60e-bb94-4ad8-bbe0-0d3195efc663 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5836
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\d3d55efd-c1ff-424e-9dc3-441be7833010 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5228
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\d639518a-e56d-4345-8af2-b9f32fb26109 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1552
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\dab60367-53fe-4fbc-825e-521d069d2456 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5612
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\dbc9e238-6de9-49e3-92cd-8c2b4946b472 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:412
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\fc7372b6-ab2d-43ee-8797-15e9841f2cca /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3068
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\fc95af4d-40e7-4b6d-835a-56d131dbc80e /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4820
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0d7dbae2-4294-402a-ba8e-26777e8488cd\309dce9b-bef4-4119-9921-a851fb12f0f4 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1752
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0E796BDB-100D-47D6-A2D5-F7D2DAA51F51 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5708
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\1A34BDC3-7E6B-442E-A9D0-64B6EF378E84 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5652
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\25DFA149-5DD1-4736-B5AB-E8A37B5B8187 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5896
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5140
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:516
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\9d7815a6-7ee4-497e-8888-515a05f02364 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5124
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\A4B195F5-8225-47D8-8012-9D41369786E2 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:440
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\abfc2519-3608-4c2a-94ea-171b0ed546ab /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2664
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5276
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\245d8541-3943-4422-b025-13a784f679b7 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2084
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\0853a681-27c8-4100-a2fd-82013e970683 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3136
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\498c044a-201b-4631-a522-5c744ed4e678 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4104
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5080
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2E601130-5351-4d9d-8E04-252966BAD054\3166BC41-7E98-4e03-B34E-EC0F5F2B218E /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5820
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2E601130-5351-4d9d-8E04-252966BAD054\C36F0EB4-2988-4a70-8EEE-0884FC2C2433 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3268
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2E601130-5351-4d9d-8E04-252966BAD054\C42B79AA-AA3A-484b-A98F-2CF32AA90A28 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5908
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2E601130-5351-4d9d-8E04-252966BAD054\D502F7EE-1DC7-4EFD-A55D-F04B6F5C0545 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1900
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E\2BFC24F9-5EA2-4801-8213-3DBAE01AA39D /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4252
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E\73CDE64D-D720-4bb2-A860-C755AFE77EF2 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5780
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E\D6BA4903-386F-4c2c-8ADB-5C21B3328D25 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5784
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\5ca83367-6e45-459f-a27b-476b1d01c936 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5216
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\7648efa3-dd9c-4e3e-b566-50f929386280 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4900
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\833a6b62-dfa4-46d1-82f8-e09e34d029d6 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3876
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\96996bc0-ad50-47ec-923b-6f41874dd9eb /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4536
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\99ff10e7-23b1-4c07-a9d1-5c3206d741b4 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5552
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4faab71a-92e5-4726-b531-224559672d19 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3480
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\06cadf0e-64ed-448a-8927-ce7bf90eb35d /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4164
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\06cadf0e-64ed-448a-8927-ce7bf90eb35e /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5260
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4744
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318584 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2744
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\12a0ab44-fe28-4fa9-b3bd-4b64f44960a6 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5348
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\12a0ab44-fe28-4fa9-b3bd-4b64f44960a7 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5568
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\1facfc65-a930-4bc5-9f38-504ec097bbc0 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1000
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\2430ab6f-a520-44a2-9601-f7f23b5134b1 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4720
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\2ddd5a84-5a71-437e-912a-db0b8c788732 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5220
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\36687f9e-e3a5-4dbf-b1dc-15eb381c6863 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5636
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\36687f9e-e3a5-4dbf-b1dc-15eb381c6864 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5816
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5984
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4009efa7-e72d-4cba-9edf-91084ea8cbc3 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1484
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\40fbefc7-2e9d-4d25-a185-0cfd8574bac6 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1352
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\40fbefc7-2e9d-4d25-a185-0cfd8574bac7 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5596
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\447235c7-6a8d-4cc0-8e24-9eaf70b96e2b /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5088
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\447235c7-6a8d-4cc0-8e24-9eaf70b96e2c /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4024
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\45bcc044-d885-43e2-8605-ee0ec6e96b59 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3440
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\465e1f50-b610-473a-ab58-00d1077dc418 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4428
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\465e1f50-b610-473a-ab58-00d1077dc419 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5604
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4b92d758-5a24-4851-a470-815d78aee119 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:6092
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4bdaf4e9-d103-46d7-a5f0-6280121616ef /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:968
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4d2b0152-7d5c-498b-88e2-34345392a2c5 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5112
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4e4450b3-6179-4e91-b8f1-5bb9938f81a1 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3884
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\5d76a2ca-e8c0-402f-a133-2158492d58ad /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1460
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\616cdaa5-695e-4545-97ad-97dc2d1bdd88 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5020
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\616cdaa5-695e-4545-97ad-97dc2d1bdd89 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3256
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\619b7505-003b-4e82-b7a6-4dd29c300971 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1456
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\619b7505-003b-4e82-b7a6-4dd29c300972 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5072
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\6c2993b0-8f48-481f-bcc6-00dd2742aa06 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:452
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\71021b41-c749-4d21-be74-a00f335d582b /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2528
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\75b0ae3f-bce0-45a7-8c89-c9611c25e100 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4152
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\75b0ae3f-bce0-45a7-8c89-c9611c25e101 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2556
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7b224883-b3cc-4d79-819f-8374152cbe7c /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5152
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7d24baa7-0b84-480f-840c-1b0743c00f5f /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5292
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7d24baa7-0b84-480f-840c-1b0743c00f60 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3604
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7f2492b6-60b1-45e5-ae55-773f8cd5caec /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3248
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7f2f5cfa-f10c-4823-b5e1-e93ae85f46b5 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4608
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964d /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5904
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\8baa4a8a-14c6-4451-8e8b-14bdbd197537 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5076
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\93b8b6dc-0698-4d1c-9ee4-0644e900c85d /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1516
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3540
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\97cfac41-2217-47eb-992d-618b1977c907 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3096
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\984cf492-3bed-4488-a8f9-4286c97bf5aa /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1300
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\984cf492-3bed-4488-a8f9-4286c97bf5ab /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3592
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\9943e905-9a30-4ec1-9b99-44dd3b76f7a2 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4248
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\b000397d-9b0b-483d-98c9-692a6060cfbf /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:6084
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\bae08b81-2d5e-4688-ad6a-13243356654b /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1088
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\bc5038f7-23e0-4960-96da-33abaf5935ed /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5328
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1360
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\c4581c31-89ab-4597-8e2b-9c9cab440e6b /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4008
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\c7be0679-2817-4d69-9d02-519a537ed0c6 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5740
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\cfeda3d0-7697-4566-a922-a9086cd49dfa /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5264
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\d8edeb9b-95cf-4f95-a73c-b061973693c8 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:432
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\d8edeb9b-95cf-4f95-a73c-b061973693c9 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5700
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\dfd10d17-d5eb-45dd-877a-9a34ddd15c82 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2312
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\e0007330-f589-42ed-a401-5ddb10e785d3 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:512
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\ea062031-0e34-4ff1-9b6d-eb1059334028 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:6088
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\ea062031-0e34-4ff1-9b6d-eb1059334029 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3476
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\f735a673-2066-4f80-a0c5-ddee0cf1bf5d /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1564
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\f8861c27-95e7-475c-865b-13c0cb3f9d6b /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4180
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\fddc842b-8364-4edc-94cf-c17f60de1c80 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2104
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\5FB4938D-1EE8-4b0f-9A3C-5036B0AB995C\DD848B2A-8A5D-4451-9AE2-39CD41658F6C /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5916
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\68AFB2D9-EE95-47A8-8F50-4115088073B1 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5536
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\17aaa29b-8b43-4b94-aafe-35f64daaf1ee /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5200
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2444
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\684C3E69-A4F7-4014-8754-D45179A56167 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5100
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\8EC4B3A5-6868-48c2-BE75-4F3044BE88A7 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1304
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\90959d22-d6a1-49b9-af93-bce885ad335b /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5576
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\A9CEB8DA-CD46-44FB-A98B-02AF69DE4623 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3788
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\aded5e82-b909-4619-9949-f5d71dac0bcb /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4616
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\f1fbfde2-a960-4165-9f88-50667911ce96 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4624
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\FBD9AA66-9553-4097-BA44-ED6E9D65EAB8 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:6104
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\468FE7E5-1158-46EC-88BC-5B96C9E44FD0 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:2024
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\49CB11A5-56E2-4AFB-9D38-3DF47872E21B /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:6080
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\5ADBBFBC-074E-4da1-BA38-DB8B36B2C8F3 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4928
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\60C07FE1-0556-45CF-9903-D56E32210242 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4088
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\82011705-FB95-4D46-8D35-4042B1D20DEF /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:528
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\9FE527BE-1B70-48DA-930D-7BCF17B44990 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4288
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\C763EE92-71E8-4127-84EB-F6ED043A3E3D /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5680
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\DE830923-A562-41AF-A086-E3A2C6BAD2DA /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:1716
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\DE830923-A562-41AF-A086-E3A2C6BAD2DA\13D09884-F74E-474A-A852-B6BDE8AD03A8 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5008
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\DE830923-A562-41AF-A086-E3A2C6BAD2DA\5C5BB349-AD29-4ee2-9D0B-2B25270F7A81 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5944
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\DE830923-A562-41AF-A086-E3A2C6BAD2DA\E69653CA-CF7F-4F05-AA73-CB833FA90AD4 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4696
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\5dbb7c9f-38e9-40d2-9749-4f8a0e9f640f /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3692
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\637ea02f-bbcb-4015-8e2c-a1c7b9c0b546 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:632
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\8183ba9a-e910-48da-8769-14ae6dc1170a /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:4580
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\9a66d8d7-4ff7-4ef9-b5a2-5a326ca2a469 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:884
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\bcded951-187b-4d05-bccc-f7e51960c258 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5584
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\d8742dcb-3e6a-4b3c-b3fe-374623cdcf06 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:3572
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\F3C5027D-CD16-4930-AA6B-90DB844A8F00 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:644
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\F15576E8-98B7-4186-B944-EAFA664402D9 /v Attributes /t REG_DWORD /d 0 /f
      4⤵
      PID:5928
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
      4⤵
      PID:4296
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82BE-4824-96C1-47B60B740D00 4B92D758-5A24-4851-A470-815D78AEE119 100
      4⤵
      Power Settings
      PID:5316
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82BE-4824-96C1-47B60B740D00 7B224883-B3CC-4D79-819F-8374152CBE7C 100
      4⤵
      PID:4852
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 501a4d13-42af-4429-9fd1-a8218c268e20 ee12f906-d277-404b-b6da-e5fa1a576df5 0
      4⤵
      PID:4060
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 d4e98f31-5ffe-4ce1-be31-1b38b384c009 0
      4⤵
      Power Settings
      PID:4560
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 94ac6d29-73ce-41a6-809f-6363ba21b47e 0
      4⤵
      PID:4168
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 0
      4⤵
      Power Settings
      PID:2692
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 0
      4⤵
      PID:5340
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 abfc2519-3608-4c2a-94ea-171b0ed546ab 0
      4⤵
      PID:5832
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 2e601130-5351-4d9d-8e04-252966bad054 d502f7ee-1dc7-4efd-a55d-f04b6f5c0545 0
      4⤵
      Power Settings
      PID:1828
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 06cadf0e-64ed-448a-8927-ce7bf90eb35d 0
      4⤵
      PID:4632
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 06cadf0e-64ed-448a-8927-ce7bf90eb35e 0
      4⤵
      Power Settings
      PID:3196
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb 0
      4⤵
      Power Settings
      PID:1492
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 619b7505-003b-4e82-b7a6-4dd29c300971 0
      4⤵
      PID:5268
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 619b7505-003b-4e82-b7a6-4dd29c300972 0
      4⤵
      PID:5992
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 7516b95f-f776-4464-8c53-06167f40cc99 17aaa29b-8b43-4b94-aafe-35f64daaf1ee 0
      4⤵
      PID:3844
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 7516b95f-f776-4464-8c53-06167f40cc99 3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e 0
      4⤵
      PID:3004
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 637ea02f-bbcb-4015-8e2c-a1c7b9c0b546 0
      4⤵
      PID:1868
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT fea3413e-7e05-4911-9a71-700331f1c294 68afb2d9-ee95-47a8-8f50-4115088073b1 0
      4⤵
      PID:2008
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0
      4⤵
      Power Settings
      PID:740
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 fc95af4d-40e7-4b6d-835a-56d131dbc80e 0
      4⤵
      PID:2272
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 bc5038f7-23e0-4960-96da-33abaf5935ed 100
      4⤵
      Power Settings
      PID:4640
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 9596fb26-9850-41fd-ac3e-f7c3c00afd4b 34c7b99f-9a6d-4b3c-8dc7-b6693b78cef4 0
      4⤵
      Power Settings
      PID:5688
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 a55612aa-f624-42c6-a443-7397d064c04f 0
      4⤵
      PID:3132
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 ea062031-0e34-4ff1-9b6d-eb1059334028 100
      4⤵
      PID:3060
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 be337238-0d82-4146-a960-4f3749d470c7 2
      4⤵
      PID:400
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 d639518a-e56d-4345-8af2-b9f32fb26109 0
      4⤵
      PID:4896
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 d3d55efd-c1ff-424e-9dc3-441be7833010 0
      4⤵
      PID:4568
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 fc7372b6-ab2d-43ee-8797-15e9841f2cca 0
      4⤵
      PID:1772
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0d7dbae2-4294-402a-ba8e-26777e8488cd 309dce9b-bef4-4119-9921-a851fb12f0f4 1
      4⤵
      PID:3972
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 0853a681-27c8-4100-a2fd-82013e970683 0
      4⤵
      PID:3636
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 5dbb7c9f-38e9-40d2-9749-4f8a0e9f640f 0
      4⤵
      Power Settings
      PID:2192
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 36687f9e-e3a5-4dbf-b1dc-15eb381c6863 0
      4⤵
      PID:5496
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 40fbefc7-2e9d-4d25-a185-0cfd8574bac6 2
      4⤵
      PID:3200
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 40fbefc7-2e9d-4d25-a185-0cfd8574bac 2
      4⤵
      Power Settings
      PID:4828
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 465e1f50-b610-473a-ab58-00d1077dc418 2
      4⤵
      Power Settings
      PID:5980
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 465e1f50-b610-473a-ab58-00d1077dc419 2
      4⤵
      PID:2356
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 8baa4a8a-14c6-4451-8e8b-14bdbd197537 0
      4⤵
      PID:5676
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 cfeda3d0-7697-4566-a922-a9086cd49dfa 0
      4⤵
      PID:6008
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 4e4450b3-6179-4e91-b8f1-5bb9938f81a1 0
      4⤵
      Power Settings
      PID:2304
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:4348
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 25dfa149-5dd1-4736-b5ab-e8a37b5b8187 0
      4⤵
      Power Settings
      PID:1156
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 94d3a615-a899-4ac5-ae2b-e4d8f634367f 1
      4⤵
      PID:5748
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:3932
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
      4⤵
      PID:2220
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 0
      4⤵
      PID:5816
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 9d7815a6-7ee4-497e-8888-515a05f02364 0
      4⤵
      Power Settings
      PID:5764
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 893dee8e-2bef-41e0-89c6-b55d0929964c 100
      4⤵
      Power Settings
      PID:672
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 bc5038f7-23e0-4960-96da-33abaf5935ec 100
      4⤵
      PID:5972
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 9596fb26-9850-41fd-ac3e-f7c3c00afd4b 03680956-93bc-4294-bba6-4e0f09bb717f 1
      4⤵
      Power Settings
      PID:3124
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 12a0ab44-fe28-4fa9-b3bd-4b64f44960a6 10
      4⤵
      Power Settings
      PID:5964
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 45bcc044-d885-43e2-8605-ee0ec6e96b59 100
      4⤵
      PID:744
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 4d2b0152-7d5c-498b-88e2-34345392a2c5 15
      4⤵
      PID:2616
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 c7be0679-2817-4d69-9d02-519a537ed0c6 0
      4⤵
      PID:3688
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 12a0ab44-fe28-4fa9-b3bd-4b64f44960a7 10
      4⤵
      PID:5252
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT fea3413e-7e05-4911-9a71-700331f1c294 4faab71a-92e5-4726-b531-224559672d19 0
      4⤵
      Power Settings
      PID:64
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT fea3413e-7e05-4911-9a71-700331f1c294 f15576e8-98b7-4186-b944-eafa664402d9 1
      4⤵
      Power Settings
      PID:1148
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 0b2d69d7-a2a1-449c-9680-f91c70521c60 0
      4⤵
      PID:1320
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 51dea550-bb38-4bc4-991b-eacf37be5ec8 100
      4⤵
      PID:1720
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 80e3c60e-bb94-4ad8-bbe0-0d3195efc663 0
      4⤵
      PID:3148
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 dab60367-53fe-4fbc-825e-521d069d2456 0
      4⤵
      PID:2920
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 dbc9e238-6de9-49e3-92cd-8c2b4946b472 0
      4⤵
      PID:5844
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 02f815b5-a5cf-4c84-bf20-649d1f75d3d8 4c793e7d-a264-42e1-87d3-7a0d2f523ccd 1
      4⤵
      PID:2896
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 1a34bdc3-7e6b-442e-a9d0-64b6ef378e84 0
      4⤵
      Power Settings
      PID:5756
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 a4b195f5-8225-47d8-8012-9d41369786e2 1
      4⤵
      Power Settings
      PID:4472
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d 0
      4⤵
      PID:3924
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 2e601130-5351-4d9d-8e04-252966bad054 c36f0eb4-2988-4a70-8eee-0884fc2c2433 0
      4⤵
      PID:4152
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 2e601130-5351-4d9d-8e04-252966bad054 c42b79aa-aa3a-484b-a98f-2cf32aa90a28 0
      4⤵
      PID:4360
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 0cc5b647-c1df-4637-891a-dec35c318583 100
      4⤵
      Power Settings
      PID:1480
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 0cc5b647-c1df-4637-891a-dec35c318584 100
      4⤵
      PID:3576
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 36687f9e-e3a5-4dbf-b1dc-15eb381c6864 0
      4⤵
      PID:2860
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 465e1f50-b610-473a-ab58-00d1077dc419 3
      4⤵
      PID:3248
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 6c2993b0-8f48-481f-bcc6-00dd2742aa06 0
      4⤵
      PID:4608
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 75b0ae3f-bce0-45a7-8c89-c9611c25e100 0
      4⤵
      Power Settings
      PID:5904
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 75b0ae3f-bce0-45a7-8c89-c9611c25e101 0
      4⤵
      Power Settings
      PID:5076
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 893dee8e-2bef-41e0-89c6-b55d0929964d 100
      4⤵
      Power Settings
      PID:1516
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 97cfac41-2217-47eb-992d-618b1977c907 0
      4⤵
      Power Settings
      PID:3540
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 ea062031-0e34-4ff1-9b6d-eb1059334029 100
      4⤵
      PID:3096
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 5fb4938d-1ee8-4b0f-9a3c-5036b0ab995c dd848b2a-8a5d-4451-9ae2-39cd41658f6c 0
      4⤵
      PID:1300
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 7516b95f-f776-4464-8c53-06167f40cc99 684c3e69-a4f7-4014-8754-d45179a56167 1
      4⤵
      PID:3592
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 8619b916-e004-4dd8-9b66-dae86f806698 468fe7e5-1158-46ec-88bc-5b96c9e44fd0 0
      4⤵
      PID:4248
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 8619b916-e004-4dd8-9b66-dae86f806698 49cb11a5-56e2-4afb-9d38-3df47872e21b 0
      4⤵
      PID:6084
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 8619b916-e004-4dd8-9b66-dae86f806698 60c07fe1-0556-45cf-9903-d56e32210242 0
      4⤵
      PID:1088
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 8619b916-e004-4dd8-9b66-dae86f806698 82011705-fb95-4d46-8d35-4042b1d20def 0
      4⤵
      PID:5328
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 8619b916-e004-4dd8-9b66-dae86f806698 9fe527be-1b70-48da-930d-7bcf17b44990 0
      4⤵
      PID:3144
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 8619b916-e004-4dd8-9b66-dae86f806698 c763ee92-71e8-4127-84eb-f6ed043a3e3d 0
      4⤵
      PID:5500
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 8619b916-e004-4dd8-9b66-dae86f806698 10778347-1370-4ee0-8bbd-33bdacaade49 1
      4⤵
      Power Settings
      PID:5740
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT de830923-a562-41af-a086-e3a2c6bad2da 5c5bb349-ad29-4ee2-9d0b-2b25270f7a81 0
      4⤵
      PID:5264
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 943c8cb6-6f93-4227-ad87-e9a3feec08d1 60
      4⤵
      PID:432
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 e0007330-f589-42ed-a401-5ddb10e785d3 0
      4⤵
      Power Settings
      PID:5700
  - - C:\Windows\system32\powercfg.exe
      powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 4bdaf4e9-d103-46d7-a5f0-6280121616ef 0
      4⤵
      PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
449af23fe66310e9c565ef232ea80a1f

SHA1
9557ab10f0214b390e8a66cffcc939b9aaf861ca

SHA256
1f29a089c9121f6ddfb9c2cea4676562eac4767cea5e0a826a78d4205ff5ba16

SHA512
a00e07835e35535c425771f39d4a31b333f99c959a2eea35b67099899f0da105e6ae779a5a6882f796a5cb882b99ed79298b981fcb068cd8db14d3ec34eebeb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e9d8702b2366c3936eec94283bd771b4

SHA1
c8208a0724612e5eba021a91a82af0bbf4835120

SHA256
217d6895578f02e56f3a3b8bf9d51830a81eb755d76dc39f08d14fa56e68f91a

SHA512
13ed11cdee3b834a6ef8a420c6f59bd64f830b0482453d0752427d2a78826fdbb80de3dcc6ecc5b5ca8d8c69dd6ad1c9685177d53edd950709ddf19097a9e9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47d2208fc9a015641efa64e13d7a478b

SHA1
649c537f1031ed19088cd24c04114e60e632cc1a

SHA256
d850cce469f27415807e05608b9806d31c6ba297ffd25520c218df68b0515745

SHA512
d6599ef15cc979f540ad7affb046e1717d2b4087c040e0b757d0ac28083576ac6b5fe072eee40f37a1412e612d864d946c28352a229a499a2284e54b8f9d09c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5926b1d750c36dca2d8dd59cc74186bf

SHA1
c3293cd99782bafa00f5bf6e7f102ccc4d86f466

SHA256
94468b1ca60ab4e9505144f6751e4561331ac2fea2a9812e7890d61920cae61a

SHA512
8036defc7450e808d541cc5995546b865ef496a9cfc3a994058953f2a5dc759de70eb3ae9fbe2032265a141c4503e6fa663ea2854825a578982ea775bfb37aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005f05ec5e6a586e98a0327fcd5631e6

SHA1
9064b348816713c4b1704ab568e97bd869797c97

SHA256
e295433f27fa52d84de1a8b42510bf55749be355f2c88d435e31e853831e0a80

SHA512
cf0a4fbfc0b94f0ca78d3986839b7d406e2f2059faf48468c2288458677289fc9b1c7de05e5d8316b7ce055f54509ee0e339bed54605989b0b7e890ad44126d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a7482c3149f18b3cd2a1be6a41ab85d1

SHA1
a5d280fa1a7b5ef9d19bd15e579714fb7dba65a5

SHA256
2cc2bb4bfee2089f6bf308e0e51dd943a18e793695eba3cad93bec361edff358

SHA512
56866112c3da16f58b0bda0392ecae64993fba5175f271fccf9263ff0e254c1db2e3497aec4a4d67a4827caff03fbc0f03d5744ca6a433518551f361fd6ce86c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f54150b0cc75795cf724b884308a0fd

SHA1
7e5f94a7d833c525505c4d47bf34c32d75e69242

SHA256
05363ada9b2c19d9ccfa2a20bce07463b02754c5a727e4a088c583bb6be3dcbf

SHA512
8d164e2d07b460f443cc6acfcb5188ef1dafe3ba4751c1975abf43f609ae88a51f91240a9d6b42e91cdb53a587c073cc4850d14c2f00a1968ed3ad520e9f47ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ec0b02bdb52916036a61870d96791609

SHA1
dfd1efb8117923469b028b3f1da6acbf9afd0b91

SHA256
be52786d43184a10fff98b25e68996c29e78bd8aa31ac4c1317a52c1085fade7

SHA512
e890429c32d31494b9ebc9e8268885684a59959826df8a5fdd3dfedba792b2c6d8edd5cd1528deffcd2a6110eb9515ce0f8fdea530d755c236f79bd9da6e3e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7aeac4deab26a34bcc19470d93a5cbec

SHA1
7d35bac731152d3a62dd1d5ffd8964f81df1e2be

SHA256
f6d45c38b185ad0fd1bd0fddf4451a8d0b0f46d8799cfe433af336a3a3d5ffa4

SHA512
3ca0afd22386cf2bfb19e01aea356ab28ac130813e2fbfa5b5cc833a5675ddc88bdbd95950a4a7d6df4e8f5da27caf57adef11b1ebd8a0f68a0912e302438b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fabd31b87306cb6de85995083aa2f70c

SHA1
b9252d1ee1e45125079e0bb884eea11578bba5a3

SHA256
c1bb8895b6489886e93b52c2efec318b078f8add9981d6bf21dba9ef563c7e8f

SHA512
7095734e335e2c91eb44f3b736bbb58431be9cdc35ec5e9caf702a9638ce3813acd9f478a2efdbfb10986d6bf328172cb28e3411425ae2f82bb74e121459135f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d22d10cbccc980b7d0fd8ec85f62ee96

SHA1
da3e8f20d725c4a23c4fafafe7778996471bb9c6

SHA256
b891f8e034757de0e48f7cc587ef54ee048735d4021833b2c9500253fecce050

SHA512
37ccdf4d47b96a2b47eef346b617fca60b00f89cbf032efa8670a75222c2c4eab736cfa0fdaf71053c32cffa730876d3eb06abe0d0d9416409a54a7c167510f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d7efea5c925d0e7c01abcbd96d364db6

SHA1
27493afb6448703f2fe1d26c96c24e13a98461bf

SHA256
654bce46404e194b639bdd83be587ea4cd5a707a49090bb6670227c3c11f931e

SHA512
0ef41872f0ef28ee8c2d370c6450fca41aaa2443690f116ad889daf19adbbc85309a8fdc8f5212c3abd740734fec4b7dc94441584b790c8533c471cd3fd4d721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7a98b082d1dc41afca1c8c6a121fd5b9

SHA1
fcf73c6c2cb9ad1af231717970e3b2d59af21d66

SHA256
1db43e99fd157c3692ce52df90b90a9d0844c4acf1d3d35e462ad7c333c08b33

SHA512
57b12cb55e6e74066eb4d0e45fb84fc83236056685aef59810e4b5c4c97bd670a217fdb64386623c8f0e980271c7afb9439afc4edccbebee166e57bd72257654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
be44ced5925e5be36d128c0346881e96

SHA1
a01bbf0477e489ec8583d04ebdb318865a33b838

SHA256
3f3b3224d2d5d1a58e322a1edf2448090f5f09fd36837afdbe38d742a18388a2

SHA512
c75edef077a54812fc56bdd0e7cbdda526d0f349772d3868cd0d8df19a126c8798f739eeddf8560cfec9abbc8040d743b533908f36ff802f9f8a095161084dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8369e3ae0d3192b0dc571792857041dc

SHA1
caf0ee92dda3396b2352005337234f8dab61c00d

SHA256
31ff5f460fdda153148674f927e3894f033c54f3a21a531e1440436a1ba8f4bc

SHA512
9778913716ab0a2da7e02c76b815d7962f98afa5c400df5689501ea09f3202a4b29bb6df87a9153d1e7e51eab62d5126a94132c22b605c02e332f8329a03148d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
80463f21e5b7290b5f984fcdd7905a90

SHA1
bb324db9f0a3f6df5977737d897f00897745a7f6

SHA256
054de1aaeb272b179747c334c935d5b7011f0a105d35d70aefd1f1ccb4f38cb8

SHA512
13ce3b801d492649806689610e759c12c60b5150a508b7d6d8145c570ba958584e4611793ab9821f57b538f69ab8db0977cb7641a77fba76252db9572d96e1f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fbacaaca25e025b7d433a4ecef9f9cde

SHA1
7f61a6abe8f2796af65a3e0c5c24dc04c21d47e2

SHA256
9419c1caa73c60b251e611f95ae124073aae816ff7e111d329a81fab4c4fc92b

SHA512
b8113de8e792addd0cd3f4f25a383f5f5c3a1cf23727cccb50ccd77b909c1dbf525177dffbc2fd4051ed96f6bc9df7738300b13c3159d24d0c9a1215aa404468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
0a014ee1eae7142857581da032c963cc

SHA1
89a3ff865e3c0162f34cf6288142f037f2c7de99

SHA256
2d73a1346fe6f7d4ec33c4f5f6281fc001e7aa9014ca6a5b6dea8c9dcad8de24

SHA512
2aaba24f458fda0aa0f703552caa4fcf139c173e55e2577f14c01294a8f0332e8b8dc57b2f9af1c94acca59b63dee078710dcc79f6a045822c7c0f4504c30e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
09fc8a7fa38cf13a9ba19e33119b028f

SHA1
4d684ad0630d83154ffdd6d97a2458ef8be639c0

SHA256
8aa39c558893cf41350d2f1dd51aed4700698244b257e1fe39299db8484973a6

SHA512
b2301624abceac7515b12a5866b9cdd618117a452d3ccec566b2d4485827ea65a8066d57b8dba855b74b511ef93a5dcfe60f21b277a8c5624c221316fc1cacf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d9d2f8f0b0f67c25a64a36e235dfd722

SHA1
63c5d10b26e78acd986993d81445aab027f08337

SHA256
1a068119639fd3567f5f4304ffb781258c3d940ea3bdbd77cb5438f16ecd583f

SHA512
0f5faa04ee7972b76834369f7b0a76298e8915c10831822ed5fd591b219ba8a3d3efbe9bde5f92237e8535e12f841c6f58c04c63de4ee825047153fa68e15960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
124240acbad680681f315acc6e1404dd

SHA1
b562ec89022a660faa07c05fc6ace89ee1eec3cf

SHA256
4fef239b565e882718be5d6688c83870e2d5654b15df69583b634f219ac36145

SHA512
1c87c3374599396cdbf7b2609e743351569cd37c0b6db0a33bf5f2cd479fe80e890d422894d275840ef164f48fb3dfbc307b1b63e1fca190bef7645fb371cc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
84a5c01027b1c67f35834bd960fa9cea

SHA1
803c81df67747693220a08b09d11f7eac6817729

SHA256
c033f191b5dd3f17cc768f96a9876ed8a1e1519fef34da7c132307c23a082505

SHA512
2a43b0d3028126ca1c64b7441dad1ff8ec5f5a5c1ab4b64d3c343d7bc7eda6bf79ed8ca8c45f64c2ad9c2250f653c906f617f8df414b9e0570ac4e2b8950383c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8c68cc381663b0b19fce687a6a5c1c98

SHA1
cba35e1031ca4fa00a388f43777e2b684921dcae

SHA256
6ad4a72bec64f13a35f43d24263c24f3ce23c47ef1c2a6878e2cc2fcf6514b56

SHA512
8f71c50eca0693314d9d72d7db9904d6b694f61e0ae55e7bf670fd4c4ae6fc0ea68da145cfa8a3106794efdc03193e2e39342d19eb30c09ee3270cb0843f68a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e632a81a337736aedda9daf464f8ed5e

SHA1
4fc968387b134d430a472e256c4b0d9695409175

SHA256
86e2243318ae7376a77e694bb8685bad8bdbcc8cdbc56802a81d1cc167d3b21f

SHA512
7e6646ac6cab17324527c876afd5a4941e17fc4f80665d19fcbc57db02a372eace70f0766bb4ace5ee5cd94d651847744f65143a8be542e5edfbed0e4e81730c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2d3f5dca9ee38af972bc570713bfc35

SHA1
349e71baedc05f0dcd67d445bbac333ea0e57777

SHA256
51d53bd755432a0e1c36c2e04332738fc2847392285b050f99f0e4cd02470063

SHA512
7575b6a663a533492cb771e942d3a8791f83467172a379cbd604266cfb0d2b2b68c57d0b62dc1ee98d83056b97247773f98b5bce872685ea55af662ca20f390e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
65cb87a103807e4b0cccedd1ca50f826

SHA1
5ba66d21771004886783b44b7dd3abf8c93dcf96

SHA256
ac56770919546ab3241dde67fc049fe1f3f876788f7464fa28ba59f5f7cd7ebd

SHA512
0de7e807c10a9e7fa1172ea7ead236c36cf40842f32fec31e1e3c07da40cf11a9c7a01505824c530ea1b557cd8ba94c5c9d98911f6fd3b10003b7eafa189ba02

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sb5k41vt.20z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Velocity_Tweaking_Utility_deleted_viurs_by_idankalol.7z

Filesize
1.3MB

MD5
0f8f2b130c553d9fa8504503e9e4cd8f

SHA1
029fe71cc2c86c606c51e52c57fe7cca65ec4bca

SHA256
006fe8dbbc15d7d83b91027aaf71f51dd57419de70c1097296c4f1a3644a7d57

SHA512
e1dbf1365294f55267760ded3b9e0b8991f18826a217cef414215dd69756ef46ab485e35886626bedd95a369831d5aaf5b63381840a243e82e5f2aa45600e9fa

Download Submit
C:\Users\Admin\Downloads\Velocity_Tweaking_Utility_deleted_viurs_by_idankalol\Siticone.Desktop.UI.dll

Filesize
4.0MB

MD5
1582aa45d981e0e569c6e05698642b30

SHA1
763506f312a186c55a04ef6a16ad7e867c394097

SHA256
21eecaf504b7fe787a45f4aa8f8f36dacfc3ab1d75624dfb41827cdef2a9a589

SHA512
278a7a4e2b9d82528200b9f92244db3f228187d15c36fd169deb927e343bc4d0bb29c9dba496f86558aea4f4deb44d1e47a41d5598c0b375d99ad9fbe99cec34

Download Submit
C:\Users\Admin\Downloads\Velocity_Tweaking_Utility_deleted_viurs_by_idankalol\Velocity Tweaking Utility.exe

Filesize
1.1MB

MD5
a96a1fce1a1c82a5d42c3a38f289e41e

SHA1
3737e3a8ac233572f23227e2cbdf66fc8e0847d1

SHA256
20ae966b644d6ad6241458d1670bbff4d04a73dd8ccf9071cb8766acc98bba6f

SHA512
e80ae2fe4e8f5545e97121e90e259aca723e40a7d3b92a368638dfdb0ba9ea80890fcbdd8a6b65ae5201e97c58abf7b05f4cd42fa5051551aef36926d03dc8fa

Download Submit
C:\Windows\All.bat

Filesize
20KB

MD5
4c50fdc2fc883247ae4af41bc424db21

SHA1
bd58c31decf3e586520b0ff142c5d7f263447aa6

SHA256
b276991ece4fafdc2cd37c7c195b72a0ef6b96e3478f134a7edd52b7f90b561f

SHA512
3d4ef301de3df6864bd00102a08aa9638381534e75bd1281ea14e9d5dcf71295fc65e6722f94e8d7e2a1e24e7dc06055003f564383c097d41e6862d32d8a3969

Download Submit
C:\Windows\Background.bat

Filesize
276B

MD5
9277a1cfa29b7eb2bb1aa00b88acd5e6

SHA1
87cf219aacc97e58d629d77b5193c7da4c38ab30

SHA256
cf83ae9ac4d8913ebeb063513cdbd166de4cc88f1156a71f929c14144fe7025f

SHA512
2c4398769aeb35c091f76f3b5ac379af6524274f22f7c1a20d0e80a507b60e761d2bb343522ae44aacf26981410e9a1f846a8b8ca58dfbdb12e847492c34c3e8

Download Submit
C:\Windows\BloatwareReg.bat

Filesize
10KB

MD5
614b568b3167e6bf33c16ab82a87097b

SHA1
d1037853c6501e2ba5cc7d04ac548d2c85e82a73

SHA256
c358b9bc018035782eeed812642ae596d42011fe847d48c6e2eda874163f4354

SHA512
ecb3725e6331b75d3c5bc5721d0bb038f802e8b471665067c07747c95f835420123bc267ac310b1db4a6ade6054bd8adf4361938db7bc31810c0d682bbee19e1

Download Submit
C:\Windows\DWM.bat

Filesize
481B

MD5
1d17729fd5c6d7618994a6afd3bc2f02

SHA1
cee5c17c850cf2a3f2b1aa3fa87b5216055b4cb2

SHA256
5f5b3d99b9245bbff132cf66c3818f10454bd80d74943c82cfaf9acb8c5c6226

SHA512
422b074b821c759b4ab44fa696a2063853c416e95760c9b18f5561a476b1ec311fa96172b817181a2287fdce29dfd53bd607e69437d47170c69777db5302b347

Download Submit
C:\Windows\DisableCortana.bat

Filesize
177KB

MD5
200a6992371dcacfb27a3fd638345df4

SHA1
0b0b5302a589c9e9a6b78e7d81367201f24833fa

SHA256
d932cd8a8dee0a478ed5944535229e5893d5a121af3142c2eb54aa25b8d86e4e

SHA512
caebc01b0ce3171fdf69193f551ddb0ce0fb9ad96732811feadcdd4fd222110d61d58e6ae78f7ce1b609706ab9c9d7277fdda7cf1b1dafdaa02c9ac1d3031c07

Download Submit
C:\Windows\DisableMemoryCompression.bat

Filesize
65B

MD5
a64d3a4c1d61344273de4e3f2dd3b652

SHA1
245859a286db226f15a0c8c51c9b71f31ea1b79a

SHA256
6f4b8912c0f77f2e589e8fed98246680bdd01a442f91729ce15ee812b8f4d50e

SHA512
e564799596d11b71590569f8c7b31fe7446cabc2dc6bc423308edf7ad2fcb74cbc621891cc594a6b2ebc8320600d0ca2530e92042477246914c55f369d2856cb

Download Submit
C:\Windows\ExFullScreen.bat

Filesize
1KB

MD5
d638b06670849a0936cc2c6549765ed7

SHA1
29f3e74445ea63ff941f89ddb484fce27ec588ca

SHA256
e2775ce1dd6773d2b8d405bebba92f17d24796a2f0ea956a95542d5d5fa3cdd4

SHA512
efa8a8aebdee0094f17ebecfa0f6c1e92f02428b18703732609a387ea03e0dc9fa9ad4870b5173364bfcb7a5293a05a1d903aaf5a9cecc940779ddf18fd88ba9

Download Submit
C:\Windows\GameBar.bat

Filesize
150B

MD5
81ddc2ec871bdaa67fa4779935de029e

SHA1
9f58aafed3728704d63704e4c0297707afa7710a

SHA256
3f372ef86452209d3126085b20ad542d50c10dea75413d36dda919f9f4e16206

SHA512
bf76889e1a4fd1683b21ce8576524a93de842d5ac5790fa12f1b34f50f5cf801379dd920ed402db9e5b5b3a389c5cebc1e7be448b040378cfc4f3dc64c81915c

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
227KB

MD5
ee2928192230a5621b38269ae40c9e6b

SHA1
91afd18c4e95f096639145e491c15344df18a6d4

SHA256
6e5bf2e2dcdb1adb875a9129a289addd937a4fc9c25ca3ba69fa42e63b143e6f

SHA512
e5999aa61dffe357bd88938e1083f7173b55f67c808428a0a432eb3c7a72121f27998a84893318e93c2bdd01fe129e168b7285fd7d6ae970fdcb759059f21e41

Download Submit
C:\Windows\MMCSS.bat

Filesize
8KB

MD5
8ce4eb2c9ec9ca40d78e987f0c311520

SHA1
621c553cd7511b1a15024593c46651cf475d2874

SHA256
c9fa7bbea01466868646959dacfe2e0150b1c740a643704e47562af869195272

SHA512
1c8b843cb85c88ae629900c2a528f211e87edac19f715ef52b8eaf8dff6045bbaad7759b3fac4822e7cbd0a4fa1813471ac14d0caf919d63b819aa608ede346d

Download Submit
C:\Windows\Maintanence.bat

Filesize
149B

MD5
96ad2d5a699c92200fe5f2dac7d5eb53

SHA1
c9f17f12ec7a67d4f72576326b13169a514cd770

SHA256
465f0b196cc44be9b623590c4b28c7c6b73b0192bc0627fc74b1cc7320086862

SHA512
d48d0eae05986b619d91a02ae2591345f26fa0a7cf062cf17ae80d09344392918f439d95c27120e273e3d9e07aa40a6b6a5698bed77b707769570a94c0971607

Download Submit
C:\Windows\Microcode.bat

Filesize
429B

MD5
0666ffb6b36399d28aa68692ce36f813

SHA1
2bc9f1275b60dfa5201b2ae45f513d6950db38c1

SHA256
9c6d89c8bc4ce18fe4ddfdc31470ebf6971b3a5940ce98956e0ff707ff1c87d9

SHA512
0649b5d778bcaad4cb251139ca36802977268f45cd2b3758ca3b1e9cffd49c525faad028c2ca9451cc0d43fb72cb2a49b761b296961ba67446e9f1bc042256d5

Download Submit
C:\Windows\Mitigations.bat

Filesize
1KB

MD5
76a02e1b2e5426d35bdeefb6620b5f50

SHA1
cd4ca3855822985605b257495e452d15d2705ae4

SHA256
934075cf83c4ba18766c950754714f60bfd06ef4e03801e18ae5474c5de6607f

SHA512
743aefe529c9198bb8ed7cd1b4c1ccbb2acf04787e981ea401147472c2d0b2a082d258acb998c55819dfddeb2241d290400ec439183f6de83232b4c227a2c0ab

Download Submit
C:\Windows\Notifications.bat

Filesize
1KB

MD5
43974d5a2fe446d21d6e570f12d4b7af

SHA1
bda717c27eedaacb8d0ebbab79e55d1fff835fd9

SHA256
270a02dd123a540b62ed199b3641d00c9e37943dd37c9056607b48af6b3cbe48

SHA512
ac9540047edc3b66265331d92ec9b8294105b1f62868a9bd9a9a669c30439b797396e0e52f6502975c75809a204d9986d04a30aece0c099f1381da22ac2e59a8

Download Submit
C:\Windows\OldFlyout.bat

Filesize
477B

MD5
bfa4745d69e777c82bc45dc46abebc47

SHA1
d68d6f68d96de33bbe1b7ec9449ab616733e8982

SHA256
88ee50ca1faee6c324645e99bc251009583d444201b7def75675b8413c9052c9

SHA512
3ea28530cfa7fa4a8e1222afb016ecf6a0ca8266226f3c19d36d218daa54492482700a93619284f967dd3b5b09472192b1627ee855614b37a503d8710550cc9b

Download Submit
C:\Windows\Privacy.bat

Filesize
29KB

MD5
7c6378fa77d73f3a086629c81f9d4063

SHA1
722833faf942826bfec3d28811c28c5ba189f381

SHA256
27a191094745a5cc8140c3f4e0482b25d724e9242d612205693e0b7f9ed29812

SHA512
6132e2e9cf4d0271a2039b0c9f7edd6e1bce883f9e2a9caa4af1c137bfe701f116d661825229032173b5ad6a06c165b8319e694ef6641b0416eeadbbd8799306

Download Submit
C:\Windows\SD.bat

Filesize
121B

MD5
82169c6e04c4a76b771032d631491e52

SHA1
e6b689c14ef0a6e7351f872b4eda64fe2acc41ad

SHA256
30dd1eba70acad3ca60e33c34e6497b2f44d66b42c696b94f7664ada9faa5b6f

SHA512
58eb8089a700fdc2aea25289f23a29ba0af263516f207c7ecc2739add921785ac046633004c75a7a273a4eab983aa7ca8446479e618988e2ead87eafc25e1729

Download Submit
C:\Windows\Services.bat

Filesize
1KB

MD5
3be622ab6a682835f00f3680f5166295

SHA1
0191b365896d11719c77e780db44e5369011e548

SHA256
e546ee95cd2674f95c229282d64576a23184d23008b219019dfa2f056e614882

SHA512
c514ce7b965f82dd3b01abc2031f638e719f0720c075dd2a303f0ffcbd79c73e1168bfea0a91cdefb8dc649d9f1c5cfe8154e5ac27f871472ff588b1ebaae07a

Download Submit
C:\Windows\Spectre.bat

Filesize
2KB

MD5
aae9259d8e23f14736e895832faca805

SHA1
9bef60eb0d8bb089c87302fa2ff05d785462bf8e

SHA256
d892a75f362354ffdce6ab734522549ce6e4b9d5651a1f04731d4c98e9107d96

SHA512
8a4419bd307e45c861d7ce54a23d0727c48af8b9b5fd208f7ae0d2ee964ca73f6ff556860345c260d5b3c1d0cbe5245c3afa6f153d4f4dee1499cc535cd9d272

Download Submit
C:\Windows\Startup.bat

Filesize
199B

MD5
2921f2b284dee08740442442ac91560e

SHA1
57ecbe55657b2d4b10ab8e44c34c33c722a97a47

SHA256
0e3bce7e9d32fb833aa39f81ed953e67e1f09ab49e717fbe8e7f68ba07fe0108

SHA512
f1cd9e4d7179e2464ed81fb09cae89c45e05a8525d77ed5129e9c79b4827d19cd620e471c96118d8d9e3ba5f55226b3aee87a4300d452fd0495ef851cf90b776

Download Submit
C:\Windows\Superfetch.bat

Filesize
466B

MD5
242bdfdb15058d44d41919dd0c0857b1

SHA1
4b4a316950f3b2c56c368992ee3f5f0804e738ce

SHA256
13d445be10a734fa63fc65e9e17fe55a82bc37a605e91eacd95f0cb4c19d63f6

SHA512
30782192a57f9a4708416030c31e60a2cf544ef0587efbe600850c659775a227a25c76d2177181eefb2b9a30bf4757a8cfe8e018e3e0e3f83dc43d85ed1e0215

Download Submit
C:\Windows\SystemResponsiveness.bat

Filesize
322B

MD5
227bd247ff2349685f7ed58758eb62d7

SHA1
0f26305cae35b35cd582ec677cbaf0c0fdac900d

SHA256
25588a1c0b0741c326b2146e433701beda5603505b63736ca70d7b309d4871e0

SHA512
e2ed6075f878706874d8a1c84022dc38b7144435cdb536a8714e7a5b42a6753d270d510546b9df8958b49b964ac16d9d9fa824a7ea1d529632c0e1bac8618a65

Download Submit
C:\Windows\Win32.bat

Filesize
489B

MD5
cb1454d6077db8c128a0f4a69effebe6

SHA1
0febbf87931d3a63bf9506ccd5987a6b3841fd9b

SHA256
aad644908caa1a26e5020ab91e01aafa00dcf23ff5f8d410825bb02d415e1809

SHA512
2ac319e92ed16722f52f395ac45d841d089c956254168190c1a058fe1edcfb44ec692780bffae0c59bbc21a0dc969f21c15384beb18e1498f898e1fcbd6dd662

Download Submit
memory/1400-65-0x0000021566900000-0x000002156691C000-memory.dmp

Filesize
112KB

Download
memory/1400-64-0x0000021566D90000-0x0000021567196000-memory.dmp

Filesize
4.0MB

Download
memory/1400-62-0x000002154C340000-0x000002154C46C000-memory.dmp

Filesize
1.2MB

Download
memory/5568-433-0x00000230FD6D0000-0x00000230FD6EE000-memory.dmp

Filesize
120KB

Download
memory/5656-90-0x0000019EE8560000-0x0000019EE8582000-memory.dmp

Filesize
136KB

Download
memory/5656-91-0x0000019EE8960000-0x0000019EE89A4000-memory.dmp

Filesize
272KB

Download
memory/5656-92-0x0000019EE8A30000-0x0000019EE8AA6000-memory.dmp

Filesize
472KB

Download