a5a0b353ba2e76e46e3566329f212aaf71c7acc7d0dd4c2689dad5d543effa13

Analysis

max time kernel
744s
max time network
320s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-11-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WINCL 1.8.0.bat
Size

1.3MB
MD5

3de7393999fb7fa0931e95a0ecc28064
SHA1

a26172904b514a1d0b96f671af9cf57c0433a69f
SHA256

a5a0b353ba2e76e46e3566329f212aaf71c7acc7d0dd4c2689dad5d543effa13
SHA512

e6ea002fde658e4e4efc4986b19745374af5555c623f2674030e46a279f5d6fd26a7660e208899a0a41acdc99925771ea972ef54939d4c6bc716612b7f4d3f13
SSDEEP

12288:RBCF22juRhMkbZubgbab/b+BV0L6clOXs1w:RXMkk82zwb

Score

10^/10

defense_evasion discovery evasion execution lateral_movement persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4348	bcdedit.exe
4956	bcdedit.exe
4780	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
3776	powershell.exe
64	powershell.exe
1256	Process not Found
2536	Process not Found
1564	powershell.exe
912	powershell.exe
4352	Process not Found
4956	Process not Found
2364	Process not Found
1420	powershell.exe
4060	powershell.exe
3676	powershell.exe
868	powershell.exe
2600	Process not Found
5096	Process not Found
4256	Process not Found
2624	powershell.exe
1340	powershell.exe
964	powershell.exe
3288	powershell.exe
1328	Process not Found
2572	Process not Found
356	powershell.exe
2132	Process not Found
5016	powershell.exe
1292	powershell.exe
3924	Process not Found
1020	Process not Found
4408	Process not Found
1828	Process not Found
2080	powershell.exe
4620	Process not Found
3836	Process not Found
3276	Process not Found
5092	Process not Found
1328	powershell.exe
2536	Process not Found
3452	Process not Found
1516	Process not Found
2696	powershell.exe
864	powershell.exe
1860	powershell.exe
5072	powershell.exe
3204	powershell.exe
3400	powershell.exe
3584	Process not Found
1140	Process not Found
4888	Process not Found
1432	powershell.exe
4052	Process not Found
3684	Process not Found
4356	Process not Found
3108	powershell.exe
2108	powershell.exe
3776	Process not Found
2132	powershell.exe
1572	powershell.exe
3804	Process not Found
564	powershell.exe
2028	powershell.exe
3640	Process not Found
4196	powershell.exe
4692	powershell.exe
2800	powershell.exe

Maps connected drives based on registry 3 TTPs 30 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Process not Found

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 64 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2456	Process not Found
2908	powercfg.exe
1468	powercfg.exe
3836	Process not Found
2588	Process not Found
952	Process not Found
4692	cmd.exe
2600	Process not Found
2500	Process not Found
2492	powercfg.exe
5092	Process not Found
4276	powercfg.exe
2960	Process not Found
4812	Process not Found
3836	powercfg.exe
1900	powercfg.exe
3432	Process not Found
188	powercfg.exe
4980	powercfg.exe
3652	Process not Found
964	powercfg.exe
4952	powercfg.exe
4496	Process not Found
1012	powercfg.exe
2216	Process not Found
1764	powercfg.exe
1112	powercfg.exe
1564	Process not Found
2260	powercfg.exe
4576	Process not Found
3496	Process not Found
4940	Process not Found
2852	powercfg.exe
5108	Process not Found
3660	Process not Found
2620	Process not Found
1600	Process not Found
4524	Process not Found
1404	Process not Found
1796	powercfg.exe
4120	Process not Found
3988	Process not Found
4784	Process not Found
704	Process not Found
1100	powercfg.exe
2444	Process not Found
4572	Process not Found
4272	Process not Found
2060	Process not Found
4344	Process not Found
556	Process not Found
1420	Process not Found
2624	Process not Found
3868	Process not Found
3720	powercfg.exe
2568	powercfg.exe
3736	Process not Found
3260	Process not Found
3444	Process not Found
3124	powercfg.exe
3996	Process not Found
4676	Process not Found
2304	Process not Found
1992	powercfg.exe

Remote Services: SMB/Windows Admin Shares 1 TTPs 5 IoCs

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

lateral_movement

SMB/Windows Admin Shares

T1021.002

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	Process not Found

Drops file in Windows directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.chk	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edbres00001.jrs	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.log	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edbres00002.jrs	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edbres00002.jrs	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edbtmp.log	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.jtx	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.jcp	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.jfm	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.chk	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edbtmp.log	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.jcp	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.chk	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.jfm	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.jcp	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edbtmp.log	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.jfm	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edbres00001.jrs	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.chk	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.jtx	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.log	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edbres00001.jrs	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edbres00002.jrs	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\Store\GUID.dat	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.chk	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.chk	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edbres00002.jrs	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.log	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.chk	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.jtx	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edbres00001.jrs	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.jcp	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.jtx	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.chk	Process not Found
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edbtmp.log	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.log	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\Store\GUID.dat	Process not Found
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.jfm	Process not Found

Hide Artifacts: Ignore Process Interrupts 1 TTPs 44 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
1968	powershell.exe
4024	powershell.exe
4152	powershell.exe
2680	Process not Found
760	Process not Found
1252	Process not Found
1012	Process not Found
3220	powershell.exe
3516	Process not Found
3596	powershell.exe
2624	Process not Found
2136	Process not Found
1796	Process not Found
4308	Process not Found
4124	Process not Found
1620	Process not Found
2880	powershell.exe
2016	powershell.exe
4348	Process not Found
2288	powershell.exe
1832	powershell.exe
3108	powershell.exe
3288	powershell.exe
4228	Process not Found
4812	powershell.exe
4272	Process not Found
2496	Process not Found
240	powershell.exe
1112	powershell.exe
856	powershell.exe
4508	powershell.exe
2660	Process not Found
2628	Process not Found
4884	Process not Found
4976	powershell.exe
2764	powershell.exe
2568	powershell.exe
1408	Process not Found
3956	Process not Found
2624	powershell.exe
328	powershell.exe
1340	Process not Found
4596	Process not Found
2060	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3096	PING.EXE

System Time Discovery 1 TTPs 6 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3296	netsh.exe
1268	reg.exe
4592	reg.exe
1120	Process not Found
4820	Process not Found
1764	Process not Found

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	Process not Found
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\DefaultRequestFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport\InitialTimestamp	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Address	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	Process not Found
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ContainerID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestamp	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\DefaultRequestFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	Process not Found
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\DefaultRequestFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	Process not Found

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4156	Process not Found
460	Process not Found
5100	Process not Found
3988	ipconfig.exe
2360	ipconfig.exe
4156	ipconfig.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E	Process not Found
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	Process not Found

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3096	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3132	WMIC.exe
3132	WMIC.exe
3132	WMIC.exe
3132	WMIC.exe
3440	WMIC.exe
3440	WMIC.exe
3440	WMIC.exe
3440	WMIC.exe
3020	WMIC.exe
3020	WMIC.exe
3020	WMIC.exe
3020	WMIC.exe
2948	WMIC.exe
2948	WMIC.exe
2948	WMIC.exe
2948	WMIC.exe
2304	WMIC.exe
2304	WMIC.exe
2304	WMIC.exe
2304	WMIC.exe
356	powershell.exe
356	powershell.exe
4196	powershell.exe
4196	powershell.exe
5016	powershell.exe
5016	powershell.exe
3220	powershell.exe
3220	powershell.exe
2624	powershell.exe
2624	powershell.exe
2288	powershell.exe
2288	powershell.exe
4812	powershell.exe
4812	powershell.exe
2060	powershell.exe
2060	powershell.exe
2880	powershell.exe
2880	powershell.exe
1832	powershell.exe
1832	powershell.exe
240	powershell.exe
240	powershell.exe
564	powershell.exe
564	powershell.exe
912	powershell.exe
912	powershell.exe
1420	powershell.exe
1420	powershell.exe
2696	powershell.exe
2696	powershell.exe
2624	powershell.exe
2624	powershell.exe
1340	powershell.exe
1340	powershell.exe
4692	powershell.exe
4692	powershell.exe
2132	powershell.exe
2132	powershell.exe
4060	powershell.exe
4060	powershell.exe
3676	powershell.exe
3676	powershell.exe
864	powershell.exe
864	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3132	WMIC.exe
Token: SeSecurityPrivilege	3132	WMIC.exe
Token: SeTakeOwnershipPrivilege	3132	WMIC.exe
Token: SeLoadDriverPrivilege	3132	WMIC.exe
Token: SeSystemProfilePrivilege	3132	WMIC.exe
Token: SeSystemtimePrivilege	3132	WMIC.exe
Token: SeProfSingleProcessPrivilege	3132	WMIC.exe
Token: SeIncBasePriorityPrivilege	3132	WMIC.exe
Token: SeCreatePagefilePrivilege	3132	WMIC.exe
Token: SeBackupPrivilege	3132	WMIC.exe
Token: SeRestorePrivilege	3132	WMIC.exe
Token: SeShutdownPrivilege	3132	WMIC.exe
Token: SeDebugPrivilege	3132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3132	WMIC.exe
Token: SeRemoteShutdownPrivilege	3132	WMIC.exe
Token: SeUndockPrivilege	3132	WMIC.exe
Token: SeManageVolumePrivilege	3132	WMIC.exe
Token: 33	3132	WMIC.exe
Token: 34	3132	WMIC.exe
Token: 35	3132	WMIC.exe
Token: 36	3132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3132	WMIC.exe
Token: SeSecurityPrivilege	3132	WMIC.exe
Token: SeTakeOwnershipPrivilege	3132	WMIC.exe
Token: SeLoadDriverPrivilege	3132	WMIC.exe
Token: SeSystemProfilePrivilege	3132	WMIC.exe
Token: SeSystemtimePrivilege	3132	WMIC.exe
Token: SeProfSingleProcessPrivilege	3132	WMIC.exe
Token: SeIncBasePriorityPrivilege	3132	WMIC.exe
Token: SeCreatePagefilePrivilege	3132	WMIC.exe
Token: SeBackupPrivilege	3132	WMIC.exe
Token: SeRestorePrivilege	3132	WMIC.exe
Token: SeShutdownPrivilege	3132	WMIC.exe
Token: SeDebugPrivilege	3132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3132	WMIC.exe
Token: SeRemoteShutdownPrivilege	3132	WMIC.exe
Token: SeUndockPrivilege	3132	WMIC.exe
Token: SeManageVolumePrivilege	3132	WMIC.exe
Token: 33	3132	WMIC.exe
Token: 34	3132	WMIC.exe
Token: 35	3132	WMIC.exe
Token: 36	3132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3440	WMIC.exe
Token: SeSecurityPrivilege	3440	WMIC.exe
Token: SeTakeOwnershipPrivilege	3440	WMIC.exe
Token: SeLoadDriverPrivilege	3440	WMIC.exe
Token: SeSystemProfilePrivilege	3440	WMIC.exe
Token: SeSystemtimePrivilege	3440	WMIC.exe
Token: SeProfSingleProcessPrivilege	3440	WMIC.exe
Token: SeIncBasePriorityPrivilege	3440	WMIC.exe
Token: SeCreatePagefilePrivilege	3440	WMIC.exe
Token: SeBackupPrivilege	3440	WMIC.exe
Token: SeRestorePrivilege	3440	WMIC.exe
Token: SeShutdownPrivilege	3440	WMIC.exe
Token: SeDebugPrivilege	3440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3440	WMIC.exe
Token: SeRemoteShutdownPrivilege	3440	WMIC.exe
Token: SeUndockPrivilege	3440	WMIC.exe
Token: SeManageVolumePrivilege	3440	WMIC.exe
Token: 33	3440	WMIC.exe
Token: 34	3440	WMIC.exe
Token: 35	3440	WMIC.exe
Token: 36	3440	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3440	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 5072	4224	cmd.exe	82
PID 4224 wrote to memory of 5072	4224	cmd.exe	82
PID 4224 wrote to memory of 5096	4224	cmd.exe	90
PID 4224 wrote to memory of 5096	4224	cmd.exe	90
PID 4224 wrote to memory of 3948	4224	cmd.exe	91
PID 4224 wrote to memory of 3948	4224	cmd.exe	91
PID 4224 wrote to memory of 4348	4224	cmd.exe	93
PID 4224 wrote to memory of 4348	4224	cmd.exe	93
PID 4224 wrote to memory of 4956	4224	cmd.exe	94
PID 4224 wrote to memory of 4956	4224	cmd.exe	94
PID 4224 wrote to memory of 4780	4224	cmd.exe	95
PID 4224 wrote to memory of 4780	4224	cmd.exe	95
PID 4224 wrote to memory of 4580	4224	cmd.exe	96
PID 4224 wrote to memory of 4580	4224	cmd.exe	96
PID 4224 wrote to memory of 948	4224	cmd.exe	97
PID 4224 wrote to memory of 948	4224	cmd.exe	97
PID 4224 wrote to memory of 2860	4224	cmd.exe	98
PID 4224 wrote to memory of 2860	4224	cmd.exe	98
PID 4224 wrote to memory of 5016	4224	cmd.exe	99
PID 4224 wrote to memory of 5016	4224	cmd.exe	99
PID 4224 wrote to memory of 3536	4224	cmd.exe	100
PID 4224 wrote to memory of 3536	4224	cmd.exe	100
PID 4224 wrote to memory of 4372	4224	cmd.exe	101
PID 4224 wrote to memory of 4372	4224	cmd.exe	101
PID 4224 wrote to memory of 2888	4224	cmd.exe	102
PID 4224 wrote to memory of 2888	4224	cmd.exe	102
PID 4224 wrote to memory of 2068	4224	cmd.exe	103
PID 4224 wrote to memory of 2068	4224	cmd.exe	103
PID 4224 wrote to memory of 3156	4224	cmd.exe	104
PID 4224 wrote to memory of 3156	4224	cmd.exe	104
PID 4224 wrote to memory of 1912	4224	cmd.exe	105
PID 4224 wrote to memory of 1912	4224	cmd.exe	105
PID 4224 wrote to memory of 1468	4224	cmd.exe	106
PID 4224 wrote to memory of 1468	4224	cmd.exe	106
PID 4224 wrote to memory of 3220	4224	cmd.exe	107
PID 4224 wrote to memory of 3220	4224	cmd.exe	107
PID 4224 wrote to memory of 3660	4224	cmd.exe	108
PID 4224 wrote to memory of 3660	4224	cmd.exe	108
PID 4224 wrote to memory of 3640	4224	cmd.exe	109
PID 4224 wrote to memory of 3640	4224	cmd.exe	109
PID 4224 wrote to memory of 1420	4224	cmd.exe	110
PID 4224 wrote to memory of 1420	4224	cmd.exe	110
PID 4224 wrote to memory of 3996	4224	cmd.exe	111
PID 4224 wrote to memory of 3996	4224	cmd.exe	111
PID 4224 wrote to memory of 2108	4224	cmd.exe	112
PID 4224 wrote to memory of 2108	4224	cmd.exe	112
PID 4224 wrote to memory of 3216	4224	cmd.exe	113
PID 4224 wrote to memory of 3216	4224	cmd.exe	113
PID 4224 wrote to memory of 4628	4224	cmd.exe	114
PID 4224 wrote to memory of 4628	4224	cmd.exe	114
PID 4224 wrote to memory of 2464	4224	cmd.exe	115
PID 4224 wrote to memory of 2464	4224	cmd.exe	115
PID 4224 wrote to memory of 2704	4224	cmd.exe	116
PID 4224 wrote to memory of 2704	4224	cmd.exe	116
PID 4224 wrote to memory of 3476	4224	cmd.exe	117
PID 4224 wrote to memory of 3476	4224	cmd.exe	117
PID 4224 wrote to memory of 4300	4224	cmd.exe	118
PID 4224 wrote to memory of 4300	4224	cmd.exe	118
PID 4224 wrote to memory of 4524	4224	cmd.exe	119
PID 4224 wrote to memory of 4524	4224	cmd.exe	119
PID 4224 wrote to memory of 3412	4224	cmd.exe	120
PID 4224 wrote to memory of 3412	4224	cmd.exe	120
PID 4224 wrote to memory of 1032	4224	cmd.exe	121
PID 4224 wrote to memory of 1032	4224	cmd.exe	121

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WINCL 1.8.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:5072
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:5096
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3948
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disableelamdrivers No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4348
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vsmlaunchtype On
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4956
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vm Yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4780
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 0 /f
  2⤵
  PID:4580
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 0 /f
  2⤵
  PID:948
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 1 /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 0 /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:5016
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 0 /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3536
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 0 /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4372
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 0 /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2888
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 0 /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 1 /f
  2⤵
  PID:3156
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v DontReportInfectionInformation /t REG_DWORD /d 0 /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontReportInfectionInformation /t REG_DWORD /d 0 /f
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0x2 /f
  2⤵
  PID:3220
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDLLSearchMode /t REG_DWORD /d 1 /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" /v RestrictRemoteClients /t REG_DWORD /d 1 /f
  2⤵
  PID:3640
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f
  2⤵
  PID:3996
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff" /f
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SoftwareProtectionPlatform" /v Activation /t REG_DWORD /d 0 /f
  2⤵
  PID:3216
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsNetHood /t REG_DWORD /d 1 /f
  2⤵
  PID:4628
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2464
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:3476
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowCrossDeviceClipboard /t REG_DWORD /d 0 /f
  2⤵
  PID:4300
- C:\Windows\system32\reg.exe
  REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Clipboard" /v CloudClipboardAutomaticUpload /f
  2⤵
  PID:4524
- C:\Windows\system32\reg.exe
  REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Clipboard" /v EnableCloudClipboard /f
  2⤵
  PID:3412
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC" /v TurnOffPenFeedback /t REG_DWORD /d 1 /f
  2⤵
  PID:1032
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PenWorkspace" /v PenWorkspaceAppSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Bluetooth" /v AllowAdvertising /t REG_DWORD /d 0 /f
  2⤵
  PID:2256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:4080
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2172
- C:\Windows\system32\netsh.exe
  netsh int teredo set state disabled
  2⤵
  PID:4136
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics Disabled
  2⤵
  PID:2156
- C:\Windows\system32\netsh.exe
  netsh int ip set global taskoffload=Disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "DisablingTaskOffload" /t REG_DWORD /d "0" /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisablingTaskOffload" /t REG_DWORD /d "0" /f
  2⤵
  PID:4360
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_NetworkAdapter get PNPDeviceID
  2⤵
  PID:4940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_NetworkAdapter get PNPDeviceID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:392
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\ROOT\KDNIC\0000\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:3064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\ROOT\KDNIC\0000\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:3768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:1484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:5024
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}" /v InterfaceMetric /t REG_DWORD /d "55" /f
  2⤵
  PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:3288
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3020
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:4872
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}" /v TCPNoDelay /t REG_DWORD /d "1" /f
  2⤵
  PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:1824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2948
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:4884
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}" /v TcpAckFrequency /t REG_DWORD /d "1" /f
  2⤵
  PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:2104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2304
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3584
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}" /v TcpDelAckTicks /t REG_DWORD /d "0" /f
  2⤵
  PID:1116
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
  2⤵
  PID:820
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
  2⤵
  PID:4944
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
  2⤵
  PID:3800
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
  2⤵
  PID:3652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetOffloadGlobalSetting -ReceiveSegmentCoalescing Disabled -PacketCoalescingFilter Disabled -Chimney Disabled -ReceiveSideScaling Enabled -TaskOffload Enabled -ScalingHeuristics Disabled
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetTCPSetting -SettingName "*" -InitialCongestionWindow 10 -MinRto 300
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetIPv4Protocol -MulticastForwarding Disabled -MediaSenseEventLog Disabled
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterChecksumOffload -Name "*" -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterLso -Name "*" -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterRsc -Name "*" -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterIPsecOffload -Name "*" -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterPowerManagement -Name "*" -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterQos -Name "*" -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterEncapsulatedPacketTaskOffload -Name "*" -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterUso -Name "*" -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *FlowControl -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *InterruptModeration -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword ULPMode -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword ITR -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *LsoV2IPv4 -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *LsoV2IPv6 -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *PriorityVLANTag -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword AdaptiveIFS -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *IPChecksumOffloadIPv4 -RegistryValue 3
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *TCPChecksumOffloadIPv4 -RegistryValue 3
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *TCPChecksumOffloadIPv6 -RegistryValue 3
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *UDPChecksumOffloadIPv4 -RegistryValue 3
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *UDPChecksumOffloadIPv6 -RegistryValue 3
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *PMARPOffload -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *PMNSOffload -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *RSS -RegistryValue 1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *NumRssQueues -RegistryValue 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *WakeOnMagicPacket -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *WakeOnPattern -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword EEELinkAdvertisement -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword EnablePME -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword ReduceSpeedOnPowerDown -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword EnableWakeOnManagmentOnTCO -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword ULPMode -RegistryValue 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword LogLinkStateEvent -RegistryValue 16
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterAdvancedProperty -Name "*" -RegistryKeyword *JumboPacket -RegistryValue 1514
  2⤵
  PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterRss -Name "*" -BaseProcessorNumber 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-NetAdapterRss -Name "*" -MaxProcessorNumber 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_lldp -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_lltdio -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_msclient -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_rspndr -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_server -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_implat -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_pacer -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_pppoe -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_rdma_ndk -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_ndisuio -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_wfplwf_upper -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_wfplwf_lower -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_netbt -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Disable-NetAdapterBinding -Name "*" -ComponentID ms_netbios -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4508
- C:\Windows\system32\netsh.exe
  netsh winsock reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5000
- C:\Windows\system32\netsh.exe
  netsh winsock set autotuning on
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2400
- C:\Windows\system32\netsh.exe
  netsh interface teredo set state disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3520
- C:\Windows\system32\netsh.exe
  netsh interface 6to4 set state disabled
  2⤵
  PID:2264
- C:\Windows\system32\netsh.exe
  netsh interface isatap set state disable
  2⤵
  PID:2168
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics wsh=disabled forcews=enabled
  2⤵
  PID:1104
- C:\Windows\system32\netsh.exe
  netsh int ip set global taskoffload=disabled
  2⤵
  PID:2456
- C:\Windows\system32\netsh.exe
  netsh int ip set global neighborcachelimit=4096
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4780
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2932
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3116
- C:\Windows\system32\netsh.exe
  netsh int tcp set supplemental Internet congestionprovider=newreno
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1220
- C:\Windows\system32\netsh.exe
  netsh int tcp set supplemental Internet congestionprovider=bbr2
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3444
- C:\Windows\system32\netsh.exe
  netsh int tcp set supplemental InternetCustom congestionprovider=newreno
  2⤵
  PID:3340
- C:\Windows\system32\netsh.exe
  netsh int tcp set supplemental InternetCustom congestionprovider=bbr2
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1552
- C:\Windows\system32\netsh.exe
  netsh int tcp set global chimney=disabled
  2⤵
  PID:1796
- C:\Windows\system32\netsh.exe
  netsh int tcp set global ecncapability=disabled
  2⤵
  PID:3888
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rss=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3364
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rsc=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2880
- C:\Windows\system32\netsh.exe
  netsh int tcp set global dca=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5096
- C:\Windows\system32\netsh.exe
  netsh int tcp set global netdma=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1964
- C:\Windows\system32\netsh.exe
  netsh int tcp set global nonsackrttresiliency=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2192
- C:\Windows\system32\netsh.exe
  netsh int tcp set global timestamps=disabled
  2⤵
  - System Time Discovery
  PID:3296
- C:\Windows\system32\netsh.exe
  netsh int tcp set global fastopen=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3536
- C:\Windows\system32\netsh.exe
  netsh int tcp set global fastopenfallback=disabled
  2⤵
  PID:3716
- C:\Windows\system32\netsh.exe
  netsh int tcp set global initialRto=2000
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1900
- C:\Windows\system32\netsh.exe
  netsh int tcp set global maxsynretransmissions=2
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4308
- C:\Windows\system32\netsh.exe
  netsh int tcp set global pacingprofile=off
  2⤵
  PID:2176
- C:\Windows\system32\netsh.exe
  netsh int tcp set global hystart=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4372
- C:\Windows\system32\netsh.exe
  netsh int tcp set security profiles=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4856
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4120
- C:\Windows\system32\netsh.exe
  netsh int udp set global uro=enabled
  2⤵
  PID:4196
- C:\Windows\system32\netsh.exe
  netsh interface ip set interface ethernet currenthoplimit=64
  2⤵
  PID:3936
- C:\Windows\system32\netsh.exe
  netsh interface ip set interface ethernet weakhostsend=enabled
  2⤵
  PID:1956
- C:\Windows\system32\netsh.exe
  netsh interface ip set interface ethernet weakhostreceive=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1124
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set subinterface "Ethernet" mtu=1400 store=persistent
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4648
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:3988
- C:\Windows\system32\ipconfig.exe
  ipconfig /release
  2⤵
  - Gathers network information
  PID:2360
- C:\Windows\system32\ipconfig.exe
  ipconfig /renew
  2⤵
  - Gathers network information
  PID:4156
- C:\Windows\system32\ARP.EXE
  arp -d *
  2⤵
  PID:4080
- C:\Windows\system32\netsh.exe
  netsh interface ip delete arpcache
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2800
- C:\Windows\system32\netsh.exe
  netsh branchcache reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -noprofile -c "Get-CimInstance -ClassName Win32_PnPEntity | where-object {($_.PNPClass -match 'Net') -and ($_.Status -match 'OK') -and ($_.Name -like '*Connection*')} | ForEach-Object { ($_ | Invoke-CimMethod -MethodName GetDeviceProperties).deviceProperties.where({$_.KeyName -EQ 'DEVPKEY_Device_Driver'}).data }"
  2⤵
  PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile -c "Get-CimInstance -ClassName Win32_PnPEntity | where-object {($_.PNPClass -match 'Net') -and ($_.Status -match 'OK') -and ($_.Name -like '*Connection*')} | ForEach-Object { ($_ | Invoke-CimMethod -MethodName GetDeviceProperties).deviceProperties.where({$_.KeyName -EQ 'DEVPKEY_Device_Driver'}).data }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards" /F "ServiceName" /S| FINDSTR /I /L "ServiceName"
  2⤵
  PID:3796
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards" /F "ServiceName" /S
    3⤵
    PID:4596
- - C:\Windows\system32\findstr.exe
    FINDSTR /I /L "ServiceName"
    3⤵
    PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}" /F "{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}" /D /E /S| FINDSTR /I /L "\\Class\\"
  2⤵
  PID:1116
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}" /F "{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}" /D /E /S
    3⤵
    PID:5100
- - C:\Windows\system32\findstr.exe
    FINDSTR /I /L "\\Class\\"
    3⤵
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\Linkage" /V "FilterList"
  2⤵
  PID:1264
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\Linkage" /V "FilterList"
    3⤵
    PID:1440
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\Linkage /V "FilterList"
  2⤵
  PID:3980
- C:\Windows\system32\findstr.exe
  FINDSTR /I "{B5F4D659-7DAA-4565-8E41-BE220ED60542} {430BDADD-BAB0-41AB-A369-94B67FA5BE0A}"
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\Linkage /F /V "FilterList" /T REG_MULTI_SZ /d "{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}-0000\0{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}-{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000\0{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}-0001\0{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}-{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000\0{26199A05-54A8-4F9E-A5EB-D5AFDD54C21D}-0003"
  2⤵
  PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Psched\Parameters\Adapters"
  2⤵
  PID:3096
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Psched\Parameters\Adapters"
    3⤵
    PID:2448
- C:\Windows\system32\reg.exe
  REG DELETE HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Psched\Parameters\Adapters\{AD6FD847-81D5-4BCA-BB46-A1A26A5245CD} /F
  2⤵
  PID:3752
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters" /v TCPNoDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /f 1 /d /s|Findstr HKEY_
  2⤵
  PID:4208
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /f 1 /d /s
    3⤵
    PID:4188
- - C:\Windows\system32\findstr.exe
    Findstr HKEY_
    3⤵
    PID:1352
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v NonBestEffortLimit /t Reg_DWORD /d 0 /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v DeadGWDetectDefault /t Reg_DWORD /d 1 /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v PerformRouterDiscovery /t Reg_DWORD /d 1"/f
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v TCPNoDelay /t Reg_DWORD /d 1 /f
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v TcpAckFrequency /t Reg_DWORD /d 1 /f
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v TcpInitialRTT /t Reg_DWORD /d 2 /f
  2⤵
  PID:2420
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v TcpDelAckTicks /t Reg_DWORD /d 0 /f
  2⤵
  PID:1068
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v UseZeroBroadcast /t Reg_DWORD /d 0 /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26199a05-54a8-4f9e-a5eb-d5afdd54c21d} /v InterfaceMetric /t Reg_DWORD /d 55 /f
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v NonBestEffortLimit /t Reg_DWORD /d 0 /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v DeadGWDetectDefault /t Reg_DWORD /d 1 /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v PerformRouterDiscovery /t Reg_DWORD /d 1"/f
  2⤵
  PID:564
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v TCPNoDelay /t Reg_DWORD /d 1 /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v TcpAckFrequency /t Reg_DWORD /d 1 /f
  2⤵
  PID:240
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v TcpInitialRTT /t Reg_DWORD /d 2 /f
  2⤵
  PID:1192
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v TcpDelAckTicks /t Reg_DWORD /d 0 /f
  2⤵
  PID:2160
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v UseZeroBroadcast /t Reg_DWORD /d 0 /f
  2⤵
  PID:3028
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ad6fd847-81d5-4bca-bb46-a1a26a5245cd} /v InterfaceMetric /t Reg_DWORD /d 55 /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip6\Parameters" /v EnableICSIPv6 /t REG_DWORD /d 0 /f
  2⤵
  PID:2708
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 255 /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched" /v NonBestEffortLimit /t REG_DWORD /d 0 /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched" /v TimerResolution /t REG_DWORD /d 1 /f
  2⤵
  PID:4580
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 0xffffffff /f
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DefaultTTL /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpTimedWaitDelay /t REG_DWORD /d 30 /f
  2⤵
  PID:2568
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnablePMTUBHDetect /t REG_DWORD /d 0 /f
  2⤵
  PID:2592
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v KeepAliveTime /t REG_DWORD /d 0x006ddd00 /f
  2⤵
  PID:444
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v QualifyingDestinationThreshold /t REG_DWORD /d 3 /f
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpCreateAndConnectTcbRateLimitDepth /t REG_DWORD /d 0 /f
  2⤵
  PID:3768
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DelayedAckFrequency /t REG_DWORD /d 1 /f
  2⤵
  PID:1676
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DelayedAckTicks /t REG_DWORD /d 1 /f
  2⤵
  PID:4196
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v CongestionAlgorithm /t REG_DWORD /d 1 /f
  2⤵
  PID:3428
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v MultihopSets /t REG_DWORD /d 0x0000000f /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableDCA /t REG_DWORD /d 1 /f
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableWsd /t REG_DWORD /d 0 /f
  2⤵
  PID:1968
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableTCPA /t REG_DWORD /d 1 /f
  2⤵
  PID:4540
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableConnectionRateLimiting /t REG_DWORD /d 0 /f
  2⤵
  PID:716
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DeadGWDetectDefault /t REG_DWORD /d 1 /f
  2⤵
  PID:1124
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v GlobalMaxTcpWindowSize /t REG_DWORD /d 65535 /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpWindowSize /t REG_DWORD /d 65535 /f
  2⤵
  PID:3640
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v MaxUserPort /t REG_DWORD /d 65534 /f
  2⤵
  PID:1136
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v MaxFreeTcbs /t REG_DWORD /d 65536 /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v Tcp1323Opts /t REG_DWORD /d 1 /f
  2⤵
  PID:4820
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableTaskOffload /t REG_DWORD /d 0 /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" /v NameSrvQueryTimeout /t REG_DWORD /d 3000 /f
  2⤵
  - System Time Discovery
  PID:1268
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" /v EnableLMHOSTS /t REG_DWORD /d 0 /f
  2⤵
  PID:1144
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" /v NodeType /t REG_DWORD /d 2 /f
  2⤵
  PID:4524
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" /v EnablePMTUDiscovery /t REG_DWORD /d 1 /f
  2⤵
  PID:2444
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" /v SackOpts /t REG_DWORD /d 0 /f
  2⤵
  PID:856
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" /v TCPCongestionControl /t REG_DWORD /d 1 /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v UseDelayedAcceptance /t REG_DWORD /d 0 /f
  2⤵
  PID:1328
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v MaxSockAddrLength /t REG_DWORD /d 16 /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v MinSockAddrLength /t REG_DWORD /d 16 /f
  2⤵
  PID:232
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS" /v "Do not use NLA" /t REG_SZ /d 1 /f
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS" /v EnableRSVP /t REG_DWORD /d 0 /f
  2⤵
  PID:2500
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS" /v EnablePriorityBoost /t REG_DWORD /d 0 /f
  2⤵
  PID:972
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v LocalPriority /t REG_DWORD /d 3 /f
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v HostsPriority /t REG_DWORD /d 3 /f
  2⤵
  PID:3924
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v DnsPriority /t REG_DWORD /d 6 /f
  2⤵
  PID:1544
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v NetbtPriority /t REG_DWORD /d 7 /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v ServiceDllUnloadOnStop /t REG_DWORD /d 1 /f
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v MaxCacheTtl /t REG_DWORD /d 13824 /f
  2⤵
  PID:3440
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v MaxNegativeCacheTtl /t REG_DWORD /d 0 /f
  2⤵
  PID:4644
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v NetFailureCacheTime /t REG_DWORD /d 0 /f
  2⤵
  - System Time Discovery
  PID:4592
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v NegativeSOACacheTime /t REG_DWORD /d 0 /f
  2⤵
  PID:1504
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v NegativeCacheTime /t REG_DWORD /d 0 /f
  2⤵
  PID:4784
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v CacheHashTableBucketSize /t REG_DWORD /d 1 /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v MaxCacheEntryTtlLimit /t REG_DWORD /d 86400 /f
  2⤵
  PID:2556
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v MaxSOACacheEntryTtlLimit /t REG_DWORD /d 300 /f
  2⤵
  PID:456
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v CacheHashTableSize /t REG_DWORD /d 384 /f
  2⤵
  PID:4872
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v MaximumUdpPacketSize /t REG_DWORD /d 1300 /f
  2⤵
  PID:4564
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v RegistrationRefreshInterval /t REG_DWORD /d 1 /f
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /t REG_DWORD /d 2 /f
  2⤵
  PID:964
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient" /v EnableMulticast /t REG_DWORD /d 0 /f
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*FlowControl" /t REG_SZ /d 0 /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*TransmitBuffers" /t REG_SZ /d 1024 /f
  2⤵
  PID:1940
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*ReceiveBuffers" /t REG_SZ /d 1024 /f
  2⤵
  PID:1752
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*TCPChecksumOffloadIPv4" /t REG_SZ /d 3 /f
  2⤵
  PID:4356
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*TCPChecksumOffloadIPv6" /t REG_SZ /d 3 /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*UDPChecksumOffloadIPv4" /t REG_SZ /d 3 /f
  2⤵
  PID:3724
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*UDPChecksumOffloadIPv6" /t REG_SZ /d 3 /f
  2⤵
  PID:2528
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*IPChecksumOffloadIPv4" /t REG_SZ /d 3 /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "ITR" /t REG_SZ /d 0 /f
  2⤵
  PID:2208
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*InterruptModeration" /t REG_SZ /d 0 /f
  2⤵
  PID:4772
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*PriorityVLANTag" /t REG_SZ /d 0 /f
  2⤵
  PID:4964
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*LsoV2IPv4" /t REG_SZ /d 0 /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*LsoV2IPv6" /t REG_SZ /d 0 /f
  2⤵
  PID:4688
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "AdaptiveIFS" /t REG_SZ /d 0 /f
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*PMARPOffload" /t REG_SZ /d 0 /f
  2⤵
  PID:1376
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*PMNSOffload" /t REG_SZ /d 0 /f
  2⤵
  PID:3584
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*LsoV1IPv4" /t REG_SZ /d 0 /f
  2⤵
  PID:3860
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "WakeOnSlot" /t REG_SZ /d 0 /f
  2⤵
  PID:4816
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*DeviceSleepOnDisconnect" /t REG_SZ /d 0 /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "ReceiveScalingMode" /t REG_SZ /d 1 /f
  2⤵
  PID:4060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "EnableTss" /t REG_SZ /d 0 /f
  2⤵
  PID:696
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "ReduceSpeedOnPowerDown" /t REG_SZ /d 0 /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*WakeOnPattern" /t REG_SZ /d 0 /f
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*WakeOnMagicPacket" /t REG_SZ /d 0 /f
  2⤵
  PID:1016
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "WakeOnLink" /t REG_SZ /d 0 /f
  2⤵
  PID:1668
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*NumRssQueues" /t REG_SZ /d 2 /f
  2⤵
  PID:1792
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*RSS" /t REG_SZ /d 1 /f
  2⤵
  PID:4612
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "ULPMode" /t REG_SZ /d 0 /f
  2⤵
  PID:4188
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "AllowAllSpeedsLPLU" /t REG_SZ /d 1 /f
  2⤵
  PID:4712
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "WakeOnFastStartup" /t REG_SZ /d 1 /f
  2⤵
  PID:1432
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "RxIntModerationProfile" /t REG_SZ /d 0 /f
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "TxIntModerationProfile" /t REG_SZ /d 0 /f
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "AsyncReceiveIndicate" /t REG_SZ /d 1 /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v TxIntDelay /t REG_SZ /d 5 /f
  2⤵
  PID:2492
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v PacketDirect /t REG_SZ /d 1 /f
  2⤵
  PID:2148
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v DisableDelayedPowerUp /t REG_SZ /d 1 /f
  2⤵
  PID:4256
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableCoalesce /t REG_SZ /d 1 /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v EnableUdpTxScaling /t REG_SZ /d 1 /f
  2⤵
  PID:4020
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v AlternateSemaphoreDelay /t REG_SZ /d 0 /f
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*NumRssQueues\Enum" /v 1 /t REG_SZ /d "1 Queue" /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*NumRssQueues\Enum" /v 2 /t REG_SZ /d "2 Queues" /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*ReceiveBuffers" /v ParamDesc /t REG_SZ /d "Receive Buffers" /f
  2⤵
  PID:564
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*ReceiveBuffers" /v default /t REG_SZ /d 256 /f
  2⤵
  PID:1060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*ReceiveBuffers" /v min /t REG_SZ /d 32 /f
  2⤵
  PID:240
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*ReceiveBuffers" /v max /t REG_SZ /d 1024 /f
  2⤵
  PID:1192
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*ReceiveBuffers" /v step /t REG_SZ /d 8 /f
  2⤵
  PID:1488
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*ReceiveBuffers" /v Base /t REG_SZ /d 10 /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*ReceiveBuffers" /v type /t REG_SZ /d int /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*TransmitBuffers" /v ParamDesc /t REG_SZ /d "Transmit Buffers" /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*TransmitBuffers" /v default /t REG_SZ /d 512 /f
  2⤵
  PID:412
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*TransmitBuffers" /v min /t REG_SZ /d 32 /f
  2⤵
  PID:4672
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*TransmitBuffers" /v max /t REG_SZ /d 1024 /f
  2⤵
  PID:1248
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*TransmitBuffers" /v step /t REG_SZ /d 8 /f
  2⤵
  PID:404
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*TransmitBuffers" /v Base /t REG_SZ /d 10 /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*TransmitBuffers" /v type /t REG_SZ /d int /f
  2⤵
  PID:1872
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\" /v "*RSSProfile" /t REG_SZ /d 3 /f
  2⤵
  PID:60
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*RSSProfile" /v ParamDesc /t REG_SZ /d "RSS load balancing profile" /f
  2⤵
  PID:1836
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*RSSProfile" /v default /t REG_SZ /d 1 /f
  2⤵
  PID:1860
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*RSSProfile" /v type /t REG_SZ /d enum /f
  2⤵
  PID:1180
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*RSSProfile\Enum" /v 1 /t REG_SZ /d ClosestProcessor /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*RSSProfile\Enum" /v 2 /t REG_SZ /d ClosestProcessorStatic /f
  2⤵
  PID:64
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*RSSProfile\Enum" /v 3 /t REG_SZ /d NUMAScaling /f
  2⤵
  PID:4228
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*RSSProfile\Enum" /v 4 /t REG_SZ /d NUMAScalingStatic /f
  2⤵
  PID:1256
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\Ndi\Params\*RSSProfile\Enum" /v 5 /t REG_SZ /d ConservativeScaling /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ProcessorAffinityMask /t REG_DWORD /d 55 /f
  2⤵
  PID:1592
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v RssBaseCpu /t REG_DWORD /d 1 /f
  2⤵
  PID:3996
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v smpAffinitized /t REG_DWORD /d 1 /f
  2⤵
  PID:4204
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v smpProcessorAffinityMask /t REG_DWORD /d 55 /f
  2⤵
  PID:3876
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v smpProcessorAffinityMask2 /t REG_DWORD /d 55 /f
  2⤵
  PID:4400
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPoolUseIdealCpu /t REG_DWORD /d 0 /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v NoNetCrawling /t REG_DWORD /d 1 /f
  2⤵
  PID:3988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfCores /value
  2⤵
  PID:2360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get NumberOfCores /value
    3⤵
    PID:4156
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v MaxNumRssCpus /t REG_DWORD /d 2 /f
  2⤵
  PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfLogicalProcessors /value
  2⤵
  PID:1052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get NumberOfLogicalProcessors /value
    3⤵
    PID:4628
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v MaxNumRssThreads /t REG_DWORD /d 2 /f
  2⤵
  PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfCores /value
  2⤵
  PID:3180
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get NumberOfCores /value
    3⤵
    PID:1556
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameterss" /v MaxNumRssCpus /t REG_DWORD /d 2 /f
  2⤵
  PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfLogicalProcessors /value
  2⤵
  PID:3068
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get NumberOfLogicalProcessors /value
    3⤵
    PID:2112
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v MaxNumRssThreads /t REG_DWORD /d 2 /f
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DynamicSendBufferDisable /t REG_DWORD /d 0 /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v IgnorePushBitOnReceives /t REG_DWORD /d 1 /f
  2⤵
  PID:1416
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v NonBlockingSendSpecialBuffering /t REG_DWORD /d 1 /f
  2⤵
  PID:4568
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DisableRawSecurity /t REG_DWORD /d 1 /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DefaultReceiveWindow /t REG_DWORD /d 4000 /f
  2⤵
  PID:4680
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DefaultSendWindow /t REG_DWORD /d 4000 /f
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v EnableDynamicBacklog /t REG_DWORD /d 1 /f
  2⤵
  PID:2216
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v MinimumDynamicBacklog /t REG_DWORD /d 20 /f
  2⤵
  PID:3312
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v MaximumDynamicBacklog /t REG_DWORD /d 20000 /f
  2⤵
  PID:4744
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DynamicBacklogGrowthDelta /t REG_DWORD /d 10 /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v PriorityBoost /t REG_DWORD /d 8 /f
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v IRPStackSize /t REG_DWORD /d 50 /f
  2⤵
  PID:1108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v LargeBufferSize /t REG_DWORD /d 32768 /f
  2⤵
  PID:3868
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v MediumBufferSize /t REG_DWORD /d 12032 /f
  2⤵
  PID:4872
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v SmallBufferSize /t REG_DWORD /d 1024 /f
  2⤵
  PID:3124
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v TransmitWorker /t REG_DWORD /d 32 /f
  2⤵
  PID:1972
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v MaxFastTransmit /t REG_DWORD /d 64 /f
  2⤵
  PID:3496
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v MaxFastCopyTransmit /t REG_DWORD /d 128 /f
  2⤵
  PID:796
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DisableAddressSharing /t REG_DWORD /d 1 /f
  2⤵
  PID:3116
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v StandardAddressLength /t REG_DWORD /d 1024 /f
  2⤵
  PID:2876
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v transmitIoLength /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:1220
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DoNotHoldNicBuffers /t REG_DWORD /d 1 /f
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v FastSendDatagramThreshold /t REG_DWORD /d 1400 /f
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v FastCopyReceiveThreshold /t REG_DWORD /d 1400 /f
  2⤵
  PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions"| findstr "HKEY"
  2⤵
  PID:2540
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions"
    3⤵
    PID:2304
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2208
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{26199a05-54a8-4f9e-a5eb-d5afdd54c21d}" /v NetbiosOptions /t REG_DWORD /d 2 /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{ad6fd847-81d5-4bca-bb46-a1a26a5245cd}" /v NetbiosOptions /t REG_DWORD /d 2 /f
  2⤵
  PID:3340
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /v WpadOverride /t REG_DWORD /d 1 /f
  2⤵
  PID:4040
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v DisableParallelAandAAAA /t REG_DWORD /d 1 /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wcmsvc\wifinetworkmanager\config" /v AutoConnectAllowedOEM /t REG_DWORD /d 0 /f
  2⤵
  PID:4108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wcmsvc\wifinetworkmanager" /v WifiSenseCredShared /t REG_DWORD /d 0 /f
  2⤵
  PID:640
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wcmsvc\wifinetworkmanager" /v WifiSenseOpen /t REG_DWORD /d 0 /f
  2⤵
  PID:4816
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WlanSvc\AnqpCache" /v OsuRegistrationStatus /t REG_DWORD /d 0 /f
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "*WakeOnMagicPacket" /s | findstr "HKEY"
  2⤵
  PID:4060
- - C:\Windows\system32\reg.exe
    REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "*WakeOnMagicPacket" /s
    3⤵
    PID:696
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3948
- C:\Windows\system32\PING.EXE
  ping www.google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:3740
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4208
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v Affinity /t REG_DWORD /d 0 /f
  2⤵
  PID:1432
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v BackgroundPriority /t REG_DWORD /d 8 /f
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d True /f
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d 10000 /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d 31 /f
  2⤵
  PID:2492
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v Priority /t REG_DWORD /d 8 /f
  2⤵
  PID:2148
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:4256
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d High /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Latency Sensitive" /t REG_SZ /d True /f
  2⤵
  PID:4020
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v Affinity /t REG_DWORD /d 0 /f
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v BackgroundPriority /t REG_DWORD /d 8 /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d True /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d 10000 /f
  2⤵
  PID:564
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d 31 /f
  2⤵
  PID:1060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v Priority /t REG_DWORD /d 8 /f
  2⤵
  PID:240
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:1192
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d High /f
  2⤵
  PID:1488
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Latency Sensitive" /t REG_SZ /d True /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BackgroundModel\BackgroundAudioPolicy" /v AllowHeadlessExecution /t REG_DWORD /d 1 /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BackgroundModel\BackgroundAudioPolicy" /v AllowMultipleBackgroundTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BackgroundModel\BackgroundAudioPolicy" /v InactivityTimeoutMs /t REG_DWORD /d FFFFFFFF /f
  2⤵
  PID:412
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio" /v UserDuckingPreference /t REG_DWORD /d 3 /f
  2⤵
  PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture"
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture"
    3⤵
    PID:404
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{7ffc4522-9d8f-45bb-9d4a-589a9b0d86a3}\Properties" /v "{b3f8fa53-0004-438e-9003-51a46e139bfc},3" /t REG_DWORD /d 0 /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{7ffc4522-9d8f-45bb-9d4a-589a9b0d86a3}\Properties" /v "{b3f8fa53-0004-438e-9003-51a46e139bfc},4" /t REG_DWORD /d 0 /f
  2⤵
  PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render"
  2⤵
  PID:60
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render"
    3⤵
    PID:1836
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{a68b07f6-3361-44cf-8a65-afe286e5c12b}\Properties" /v "{b3f8fa53-0004-438e-9003-51a46e139bfc},3" /t REG_DWORD /d 0 /f
  2⤵
  PID:1860
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{a68b07f6-3361-44cf-8a65-afe286e5c12b}\Properties" /v "{b3f8fa53-0004-438e-9003-51a46e139bfc},4" /t REG_DWORD /d 0 /f
  2⤵
  PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -noprofile -c "Get-CimInstance -ClassName Win32_PnPEntity | where-object {$_.PNPClass -match 'Display'} | ForEach-Object { ($_ | Invoke-CimMethod -MethodName GetDeviceProperties).deviceProperties.where({$_.KeyName -EQ 'DEVPKEY_Device_Driver'}).data }"
  2⤵
  PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile -c "Get-CimInstance -ClassName Win32_PnPEntity | where-object {$_.PNPClass -match 'Display'} | ForEach-Object { ($_ | Invoke-CimMethod -MethodName GetDeviceProperties).deviceProperties.where({$_.KeyName -EQ 'DEVPKEY_Device_Driver'}).data }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:64
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v Affinity /t REG_DWORD /d 0 /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d True /f
  2⤵
  PID:3988
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v BackgroundPriority /t REG_DWORD /d 18 /f
  2⤵
  PID:2088
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d 10000 /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d 12 /f
  2⤵
  PID:4080
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v Priority /t REG_DWORD /d 8 /f
  2⤵
  PID:2444
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d High /f
  2⤵
  PID:4708
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Latency Sensitive" /t REG_SZ /d True /f
  2⤵
  PID:4584
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f
  2⤵
  PID:3828
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d False /f
  2⤵
  PID:4528
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 12 /f
  2⤵
  PID:3180
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:2600
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:676
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d High /f
  2⤵
  PID:688
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d True /f
  2⤵
  PID:4360
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v Affinity /t REG_DWORD /d 0 /f
  2⤵
  PID:5000
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d False /f
  2⤵
  PID:392
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d 10000 /f
  2⤵
  PID:1340
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d 12 /f
  2⤵
  PID:4056
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v Priority /t REG_DWORD /d 1 /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:4760
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d High /f
  2⤵
  PID:1252
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d True /f
  2⤵
  PID:4576
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\NvTray" /v StartOnLogin /t REG_DWORD /d 0 /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\NVTweak" /v Gestalt /t REG_DWORD /d 2 /f
  2⤵
  PID:3836
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\NVTweak" /v DisplayPowerSaving /t REG_DWORD /d 0 /f
  2⤵
  PID:3792
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMHdcpKeyglobZero /t "REG_DWORD" /d 1 /f
  2⤵
  PID:1012
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D" /v DisableVidMemVBs /t REG_DWORD /d 0 /f
  2⤵
  PID:4516
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\Drivers" /v SoftwareOnly /t REG_DWORD /d 0 /f
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\ReferenceDevice" /v AllowAsync /t REG_DWORD /d 1 /f
  2⤵
  PID:328
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw" /v EmulationOnly /t REG_DWORD /d 0 /f
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Avalon.Graphics" /v DisableHWAcceleration /t REG_DWORD /d 1 /f
  2⤵
  PID:704
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v HwSchMode /t REG_DWORD /d 2 /f
  2⤵
  PID:1824
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvlddmkm" /v DisableWriteCombining /t REG_DWORD /d 1 /f
  2⤵
  PID:1272
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvlddmkm\FTS" /v EnableRID73779 /t REG_DWORD /d 1 /f
  2⤵
  PID:2044
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvlddmkm\FTS" /v EnableRID73780 /t REG_DWORD /d 1 /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvlddmkm\FTS" /v EnableRID74361 /t REG_DWORD /d 1 /f
  2⤵
  PID:5024
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\NVTweak" /v DisplayPowerSaving /t REG_DWORD /d 0 /f
  2⤵
  PID:952
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvlddmkm\FTS" /v EnableGR535 /t REG_DWORD /d 0 /f
  2⤵
  PID:4780
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID61684 /t REG_DWORD /d 1 /f
  2⤵
  PID:3492
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v VsyncIdleTimeout /t REG_DWORD /d 0 /f
  2⤵
  PID:4132
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v EnablePreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2528
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v ForceFlipTrueImmediateMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DpiMapIommuContiguous /t REG_DWORD /d 1 /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrLevel /t REG_DWORD /d 0 /f
  2⤵
  PID:3340
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrDelay /t REG_DWORD /d 0 /f
  2⤵
  PID:4688
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrDebugMode /t REG_DWORD /d 0 /f
  2⤵
  PID:332
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrDdiDelay /t REG_DWORD /d 0 /f
  2⤵
  PID:1184
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrDodPresentDelay /t REG_DWORD /d 0 /f
  2⤵
  PID:1116
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrDodVSyncDelay /t REG_DWORD /d 0 /f
  2⤵
  PID:820
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrLimitCount /t REG_DWORD /d 0 /f
  2⤵
  PID:1264
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrLimitTime /t REG_DWORD /d 0 /f
  2⤵
  PID:1748
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v UseGpuTimer /t REG_DWORD /d 1 /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v RmGpsPsEnablePerCpuCoreDpc /t REG_DWORD /d 1 /f
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v PowerSavingTweaks /t REG_DWORD /d 0 /f
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableWriteCombining /t REG_DWORD /d 1 /f
  2⤵
  PID:4496
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableRuntimePowerManagement /t REG_DWORD /d 0 /f
  2⤵
  PID:460
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v PrimaryPushBufferSize /t REG_DWORD /d 1 /f
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v F1TransitionLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v D3PCLatency /t REG_DWORD /d 0 /f
  2⤵
  PID:4848
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v RMDeepL1EntryLatencyUsec /t REG_DWORD /d 1 /f
  2⤵
  PID:2452
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v PciLatencyTimerControl /t REG_DWORD /d 20 /f
  2⤵
  PID:1792
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v Node3DLowLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:3368
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v LOWLATENCY /t REG_DWORD /d 1 /f
  2⤵
  PID:4188
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v RmDisableRegistryCaching /t REG_DWORD /d 1 /f
  2⤵
  PID:4712
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v RMDisablePostL2Compression /t REG_DWORD /d 1 /f
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v AdaptiveVsyncEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2468
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v AllowDeepCStates /t REG_DWORD /d 0 /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v BuffersInFlight /t REG_DWORD /d 4096 /f
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v ComputePreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v ComputePreemptionLevel /t REG_DWORD /d 0 /f
  2⤵
  PID:2420
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v Disable_OverlayDSQualityEnhancement /t REG_DWORD /d 1 /f
  2⤵
  PID:1068
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableAsyncPstates /t REG_DWORD /d 1 /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableCudaContextPreemption /t REG_DWORD /d 1 /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableDynamicPstate /t REG_DWORD /d 1 /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableGDIAcceleration /t REG_DWORD /d 0 /f
  2⤵
  PID:1788
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableKmRender /t REG_DWORD /d 0 /f
  2⤵
  PID:3536
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableKmRenderBoost /t REG_DWORD /d 0 /f
  2⤵
  PID:1844
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableOverclockedPstates /t REG_DWORD /d 1 /f
  2⤵
  PID:564
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisablePFonDP /t REG_DWORD /d 1 /f
  2⤵
  PID:1060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisablePreemption /t REG_DWORD /d 1 /f
  2⤵
  PID:3136
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisablePreemptionOnS3S4 /t REG_DWORD /d 1 /f
  2⤵
  PID:1900
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableAggressivePStateBoost /t REG_DWORD /d 1 /f
  2⤵
  PID:1292
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableAggressivePStateOnly /t REG_DWORD /d 1 /f
  2⤵
  PID:4308
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableAsyncMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2280
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableCEPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableDirectFlip /t REG_DWORD /d 1 /f
  2⤵
  PID:3720
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableIndependentFlip /t REG_DWORD /d 1 /f
  2⤵
  PID:4580
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableMidBufferPreemptionForHighTdrTimeout /t REG_DWORD /d 0 /f
  2⤵
  PID:1908
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableMidGfxPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2568
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableMidGfxPreemptionVGPU /t REG_DWORD /d 0 /f
  2⤵
  PID:2592
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnablePerformanceMode /t REG_DWORD /d 1 /f
  2⤵
  PID:472
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnablePreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:948
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableSCGMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:3768
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v FlTransitionLatency /t REG_DWORD /d 0 /f
  2⤵
  PID:1676
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v GPUPreemptionLevel /t REG_DWORD /d 0 /f
  2⤵
  PID:4540
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v MonitorRefreshLatencyTolerance /t REG_DWORD /d 2710 /f
  2⤵
  PID:716
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v PerfAnalyzeMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:3764
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v PreferSystemMemoryContiguous /t REG_DWORD /d 1 /f
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v RmClkPowerOffDramPllWhenUnused /t REG_DWORD /d 0 /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v RMDeepLlEntryLatencyUsec /t REG_DWORD /d 0 /f
  2⤵
  PID:1740
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v RmFbsrPagedDMA /t REG_DWORD /d 0 /f
  2⤵
  PID:3876
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DefaultD3TransitionLatencyActivelyUsed /t REG_DWORD /d 1 /f
  2⤵
  PID:3640
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DefaultD3TransitionLatencyIdleNoContext /t REG_DWORD /d 1 /f
  2⤵
  PID:64
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DefaultLatencyToleranceIdle0 /t REG_DWORD /d 1 /f
  2⤵
  PID:4860
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DefaultLatencyToleranceNoContext /t REG_DWORD /d 1 /f
  2⤵
  PID:4820
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DefaultLatencyToleranceTimerPeriod /t REG_DWORD /d 1 /f
  2⤵
  PID:224
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v DisableOverlays /t REG_DWORD /d 1 /f
  2⤵
  PID:2360
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v EnableWDDM23Synchronization /t REG_DWORD /d 1 /f
  2⤵
  PID:2680
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v ForceDirectFlip /t REG_DWORD /d 1 /f
  2⤵
  PID:4524
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v MonitorLatencyTolerance /t REG_DWORD /d 1 /f
  2⤵
  PID:3900
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v MonitorRefreshLatencyTolerance /t REG_DWORD /d 1 /f
  2⤵
  PID:1052
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v UnsupportedMonitorModesAllowed /t REG_DWORD /d 1 /f
  2⤵
  PID:544
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v UseXPModel /t REG_DWORD /d 0 /f
  2⤵
  PID:1328
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyActivelyUsed /t REG_DWORD /d 1 /f
  2⤵
  PID:4368
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleLongTime /t REG_DWORD /d 1 /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleMonitorOff /t REG_DWORD /d 1 /f
  2⤵
  PID:232
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleShortTime /t REG_DWORD /d 1 /f
  2⤵
  PID:4600
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleVeryLongTime /t REG_DWORD /d 1 /f
  2⤵
  PID:972
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultD3TransitionLatencyIdleNoContext /t REG_DWORD /d 1 /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceIdle0 /t REG_DWORD /d 1 /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceIdle0MonitorOff /t REG_DWORD /d 1 /f
  2⤵
  PID:3924
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceIdle1 /t REG_DWORD /d 1 /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceIdle1MonitorOff /t REG_DWORD /d 1 /f
  2⤵
  PID:5076
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceMemory /t REG_DWORD /d 1 /f
  2⤵
  PID:4720
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceNoContext /t REG_DWORD /d 1 /f
  2⤵
  PID:3440
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceNoContextMonitorOff /t REG_DWORD /d 1 /f
  2⤵
  PID:2152
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceMemoryNoContext /t REG_DWORD /d 1 /f
  2⤵
  PID:2156
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceOther /t REG_DWORD /d 1 /f
  2⤵
  PID:4668
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultLatencyToleranceTimerPeriod /t REG_DWORD /d 1 /f
  2⤵
  PID:1148
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultMemoryRefreshLatencyToleranceActivelyUsed /t REG_DWORD /d 1 /f
  2⤵
  PID:3424
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultMemoryRefreshLatencyToleranceMonitorOff /t REG_DWORD /d 1 /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DefaultMemoryRefreshLatencyToleranceNoContext /t REG_DWORD /d 1 /f
  2⤵
  PID:1960
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:2084
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v MaxIAverageGraphicsLatencyInOneBucket /t REG_DWORD /d 1 /f
  2⤵
  PID:4564
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v MiracastPerfTrackGraphicsLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v MonitorLatencyTolerance /t REG_DWORD /d 1 /f
  2⤵
  PID:964
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v MonitorRefreshLatencyTolerance /t REG_DWORD /d 1 /f
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v TransitionLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:4976
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v UseGpuTimer /t REG_DWORD /d 1 /f
  2⤵
  PID:1940
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RmGpsPsEnablePerCpuCoreDpc /t REG_DWORD /d 1 /f
  2⤵
  PID:1752
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v PowerSavingTweaks /t REG_DWORD /d 0 /f
  2⤵
  PID:4356
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v DisableWriteCombining /t REG_DWORD /d 1 /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v EnableRuntimePowerManagement /t REG_DWORD /d 0 /f
  2⤵
  PID:3724
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v PrimaryPushBufferSize /t REG_DWORD /d 1 /f
  2⤵
  PID:2104
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v F1TransitionLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:3688
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v FlTransitionLatency /t REG_DWORD /d 0 /f
  2⤵
  PID:3776
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v D3PCLatency /t REG_DWORD /d 0 /f
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RMDeepLlEntryLatencyUsec /t REG_DWORD /d 1 /f
  2⤵
  PID:4052
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RMDeepL1EntryLatencyUsec /t REG_DWORD /d 1 /f
  2⤵
  PID:3108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v PciLatencyTimerControl /t REG_DWORD /d 20 /f
  2⤵
  PID:4824
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v Node3DLowLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:3796
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v LOWLATENCY /t REG_DWORD /d 1 /f
  2⤵
  PID:1236
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RmDisableRegistryCaching /t REG_DWORD /d 1 /f
  2⤵
  PID:2132
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v RMDisablePostL2Compression /t REG_DWORD /d 1 /f
  2⤵
  PID:1496
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PreferSystemMemoryContiguous /t REG_DWORD /d 1 /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v D3PCLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:4816
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v F1TransitionLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v LOWLATENCY /t REG_DWORD /d 1 /f
  2⤵
  PID:696
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v Node3DLowLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:3948
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PciLatencyTimerControl /t REG_BINARY /d 20 /f
  2⤵
  PID:4060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMDeepL1EntryLatencyUsec /t REG_DWORD /d 1 /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmGspcMaxFtuS /t REG_DWORD /d 1 /f
  2⤵
  PID:5064
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmGspcMinFtuS /t REG_DWORD /d 1 /f
  2⤵
  PID:4616
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmGspcPerioduS /t REG_DWORD /d 1 /f
  2⤵
  PID:4136
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMLpwrEiIdleThresholdUs /t REG_DWORD /d 1 /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMLpwrGrIdleThresholdUs /t REG_DWORD /d 1 /f
  2⤵
  PID:644
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMLpwrGrRgIdleThresholdUs /t REG_DWORD /d 1 /f
  2⤵
  PID:4200
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMLpwrMsIdleThresholdUs /t REG_DWORD /d 1 /f
  2⤵
  PID:4684
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v VRDirectFlipDPCDelayUs /t REG_DWORD /d 1 /f
  2⤵
  PID:2192
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v VRDirectFlipTimingMarginUs /t REG_DWORD /d 1 /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v VRDirectJITFlipMsHybridFlipDelayUs /t REG_DWORD /d 1 /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v vrrCursorMarginUs /t REG_DWORD /d 1 /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v vrrDeflickerMarginUs /t REG_DWORD /d 1 /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v vrrDeflickerMaxUs /t REG_DWORD /d 1 /f
  2⤵
  PID:2408
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v NoFastLinkTrainingForeDP /t REG_DWORD /d 0 /f
  2⤵
  PID:1120
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisablePFonDP /t REG_DWORD /d 1 /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AdaptiveVsyncEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AllowDeepCStates /t REG_DWORD /d 0 /f
  2⤵
  PID:1832
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v BuffersInFlight /t REG_DWORD /d 4096 /f
  2⤵
  PID:4348
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v ComputePreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v ComputePreemptionLevel /t REG_DWORD /d 0 /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableAcpPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:2260
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableAllClockGating /t REG_DWORD /d 1 /f
  2⤵
  PID:3716
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableAsyncPstates /t REG_DWORD /d 1 /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableBlockWrite /t REG_DWORD /d 0 /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableCpPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:240
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableCudaContextPreemption /t REG_DWORD /d 1 /f
  2⤵
  PID:1192
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableDMACopy /t REG_DWORD /d 1 /f
  2⤵
  PID:1488
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableDrmdmaPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableDynamicPstate /t REG_DWORD /d 1 /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableGDIAcceleration /t REG_DWORD /d 0 /f
  2⤵
  PID:3396
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableGDSPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:412
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableGfxCGPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:4672
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableGfxClockGating /t REG_DWORD /d 1 /f
  2⤵
  PID:4372
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableGFXPipelinePowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:1248
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableGmcPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableHdpClockPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:1872
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableHdpMGClockGating /t REG_DWORD /d 1 /f
  2⤵
  PID:2872
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableKmRender /t REG_DWORD /d 0 /f
  2⤵
  PID:60
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableKmRenderBoost /t REG_DWORD /d 0 /f
  2⤵
  PID:1860
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableOverclockedPstates /t REG_DWORD /d 1 /f
  2⤵
  PID:1180
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisablePowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:4840
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisablePreemption /t REG_DWORD /d 1 /f
  2⤵
  PID:556
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisablePreemptionOnS3S4 /t REG_DWORD /d 1 /f
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableSamuClockGating /t REG_DWORD /d 1 /f
  2⤵
  PID:4228
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableSysClockGating /t REG_DWORD /d 1 /f
  2⤵
  PID:1956
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableUVDPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:2776
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableVceClockGating /t REG_DWORD /d 1 /f
  2⤵
  PID:3936
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableWriteCombining /t REG_DWORD /d 1 /f
  2⤵
  PID:3428
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableXdmaPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:4196
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableXdmaSclkGating /t REG_DWORD /d 1 /f
  2⤵
  PID:1136
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v Disable_OverlayDSQualityEnhancement /t REG_DWORD /d 1 /f
  2⤵
  PID:4844
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DpiMapIommuContiguous /t REG_DWORD /d 1 /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableAggressivePStateBoost /t REG_DWORD /d 1 /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableAggressivePStateOnly /t REG_DWORD /d 1 /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableAsyncMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:1144
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableCEPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableDirectFlip /t REG_DWORD /d 1 /f
  2⤵
  PID:1080
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableIndependentFlip /t REG_DWORD /d 1 /f
  2⤵
  PID:4948
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2624
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableMidBufferPreemptionForHighTdrTimeout /t REG_DWORD /d 0 /f
  2⤵
  PID:4528
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableMidGfxPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:4940
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableMidGfxPreemptionVGPU /t REG_DWORD /d 0 /f
  2⤵
  PID:4340
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnablePerformanceMode /t REG_DWORD /d 1 /f
  2⤵
  PID:1056
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnablePreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:676
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableRuntimePowerManagement /t REG_DWORD /d 0 /f
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableSCGMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableUlps /t REG_DWORD /d 0 /f
  2⤵
  PID:4360
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableVCNPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:1544
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v FlTransitionLatency /t REG_DWORD /d 0 /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v GPUPreemptionLevel /t REG_DWORD /d 0 /f
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_EnableComputePreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_EnableGfxMidCmdPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:4644
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_EnablePreemptionLogging /t REG_DWORD /d 0 /f
  2⤵
  PID:4592
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_EnableSDMAPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:3312
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_PreemptionLevelLimit /t REG_DWORD /d 0 /f
  2⤵
  PID:4784
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v MonitorLatencyTolerance /t REG_DWORD /d 1000 /f
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v MonitorRefreshLatencyTolerance /t REG_DWORD /d 2710 /f
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PerfAnalyzeMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:456
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PowerSavingTweaks /t REG_DWORD /d 0 /f
  2⤵
  PID:4812
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PP_SclkDeepSleepDisable /t REG_DWORD /d 1 /f
  2⤵
  PID:756
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PP_ThermalAutoThrottlingEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2364
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PrimaryPushBufferSize /t REG_DWORD /d 1 /f
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmClkPowerOffDramPllWhenUnused /t REG_DWORD /d 0 /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMDeepLlEntryLatencyUsec /t REG_DWORD /d 0 /f
  2⤵
  PID:1824
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMDisablePostL2Compression /t REG_DWORD /d 1 /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmDisableRegistryCaching /t REG_DWORD /d 1 /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmFbsrPagedDMA /t REG_DWORD /d 0 /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmGpsPsEnablePerCpuCoreDpc /t REG_DWORD /d 1 /f
  2⤵
  PID:4376
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v StutterMode /t REG_DWORD /d 0 /f
  2⤵
  PID:5048
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v UseGpuTimer /t REG_DWORD /d 1 /f
  2⤵
  PID:3448
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableOverlay /t REG_DWORD /d 1 /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableSystemMemoryTiling /t REG_DWORD /d 0 /f
  2⤵
  PID:4772
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableTiledDisplay /t REG_DWORD /d 0 /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v ENABLE_OCA_LOGGING /t REG_DWORD /d 0 /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PCIEPowerControl /t REG_DWORD /d 0 /f
  2⤵
  PID:4596
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PCIEPowerControl_8086191f50001458 /t REG_DWORD /d 0 /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMClkSlowDown /t REG_DWORD /d 0 /f
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMDisableGpuASPMFlags /t REG_DWORD /d 1 /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmDisableHdcp22 /t REG_DWORD /d 1 /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMEnableASPMAtLoad /t REG_DWORD /d 0 /f
  2⤵
  PID:4108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMEnableASPMDT /t REG_DWORD /d 0 /f
  2⤵
  PID:640
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmMIONoPowerOff /t REG_DWORD /d 1 /f
  2⤵
  PID:3888
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmPerfRatedTdpLimit /t REG_DWORD /d 0 /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMSkipHdcp22Init /t REG_DWORD /d 1 /f
  2⤵
  PID:3364
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmWotHdcpEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v F1TransitionLatency /t REG_DWORD /d 0 /f
  2⤵
  PID:1764
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RMDeepL1EntryLatencyUsec /t REG_DWORD /d 0 /f
  2⤵
  PID:4496
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableCoreSlowdown /t REG_DWORD /d 0 /f
  2⤵
  PID:4300
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableMClkSlowdown /t REG_DWORD /d 0 /f
  2⤵
  PID:1016
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableNVClkSlowdown /t REG_DWORD /d 0 /f
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v RmDisableHwFaultBuffer /t REG_DWORD /d 1 /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_EnableGDIAcceleration /t REG_DWORD /d 1 /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PerfLevelSrc /t REG_DWORD /d 8738 /f
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PowerMizerEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1992
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PowerMizerLevel /t REG_DWORD /d 1 /f
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PowerMizerLevelAC /t REG_DWORD /d 1 /f
  2⤵
  PID:4208
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v TCCSupported /t REG_DWORD /d 0 /f
  2⤵
  PID:4620
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v LTRSnoopL1Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v LTRSnoopL0Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:2920
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v LTRNoSnoopL1Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:2412
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v LTRMaxNoSnoopLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_RpmComputeLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:1100
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DalUrgentLatencyNs /t REG_DWORD /d 1 /f
  2⤵
  PID:2596
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v memClockSwitchLatency /t REG_DWORD /d 1 /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PP_RTPMComputeF1Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PP_DGBMMMaxTransitionLatencyUvd /t REG_DWORD /d 1 /f
  2⤵
  PID:1696
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PP_DGBPMMaxTransitionLatencyGfx /t REG_DWORD /d 1 /f
  2⤵
  PID:2100
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DalNBLatencyForUnderFlow /t REG_DWORD /d 1 /f
  2⤵
  PID:344
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v BGM_LTRSnoopL1Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v BGM_LTRSnoopL0Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:188
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v BGM_LTRNoSnoopL1Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:1060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v BGM_LTRNoSnoopL0Latency /t REG_DWORD /d 1 /f
  2⤵
  PID:4852
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v BGM_LTRMaxSnoopLatencyValue /t REG_DWORD /d 1 /f
  2⤵
  PID:4456
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v BGM_LTRMaxNoSnoopLatencyValue /t REG_DWORD /d 1 /f
  2⤵
  PID:5016
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v 3D_Refresh_Rate_Override_DEF /t REG_DWORD /d 0 /f
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v 3to2Pulldown_NA /t REG_DWORD /d 0 /f
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AAF_NA /t REG_DWORD /d 0 /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v Adaptive De-interlacing /t REG_DWORD /d 1 /f
  2⤵
  PID:1176
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AllowRSOverlay /t REG_SZ /d "false" /f
  2⤵
  PID:3128
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AllowSkins /t REG_SZ /d "false" /f
  2⤵
  PID:404
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AllowSnapshot /t REG_DWORD /d 0 /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AllowSubscription /t REG_DWORD /d 0 /f
  2⤵
  PID:3736
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AntiAlias_NA /t REG_SZ /d 0 /f
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AreaAniso_NA /t REG_SZ /d 0 /f
  2⤵
  PID:1836
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v ASTT_NA /t REG_SZ /d 0 /f
  2⤵
  PID:1736
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v AutoColorDepthReduction_NA /t REG_DWORD /d 0 /f
  2⤵
  PID:2576
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableSAMUPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:4808
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableUVDPowerGatingDynamic /t REG_DWORD /d 1 /f
  2⤵
  PID:1968
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableVCEPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:2620
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableAspmL0s /t REG_DWORD /d 0 /f
  2⤵
  PID:3764
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableAspmL1 /t REG_DWORD /d 0 /f
  2⤵
  PID:912
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableUlps /t REG_DWORD /d 0 /f
  2⤵
  PID:4204
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableUlps_NA /t REG_SZ /d 0 /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_DeLagEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_FRTEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3220
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableDMACopy /t REG_DWORD /d 1 /f
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableBlockWrite /t REG_DWORD /d 0 /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v StutterMode /t REG_DWORD /d 0 /f
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v EnableUlps /t REG_DWORD /d 0 /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PP_SclkDeepSleepDisable /t REG_DWORD /d 1 /f
  2⤵
  PID:1268
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v PP_ThermalAutoThrottlingEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2800
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v DisableDrmdmaPowerGating /t REG_DWORD /d 1 /f
  2⤵
  PID:2172
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_EnableComputePreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:4628
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_EnableReBarForLegacyASIC /t REG_DWORD /d 1 /f
  2⤵
  PID:856
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_RebarControlMode /t REG_DWORD /d 1 /f
  2⤵
  PID:3420
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v KMD_RebarControlSupport /t REG_DWORD /d 1 /f
  2⤵
  PID:1784
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000\PowerSettings" /v ConservationIdleTime /t REG_DWORD /d 00000000 /f
  2⤵
  PID:3828
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000\PowerSettings" /v IdlePowerState /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000\PowerSettings" /v PerformanceIdleTime /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /s /f Scaling
  2⤵
  PID:4600
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /s /f Scaling
    3⤵
    PID:4508
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\MSBDD_RHT12340_2A_07DE_FC_1234_1111_00000000_00010000_0^6E57C9F13ED851F87291CBEB2395B57E\00\00" /v Scaling /t REG_DWORD /d 1 /f
  2⤵
  PID:3068
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v PerfAnalyzeMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:5000
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v EnableMidBufferPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v EnableAsyncMidBufferPreemption /t REG_DWORD /d 1 /f
  2⤵
  PID:1416
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v DisablePreemption /t REG_DWORD /d 1 /f
  2⤵
  PID:4568
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v DisableCudaContextPreemption /t REG_DWORD /d 1 /f
  2⤵
  PID:3472
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v ComputePreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:4680
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v EnableCEPreemption /t REG_DWORD /d 0 /f
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v RmGpsPsEnablePerCpuCoreDpc /t REG_DWORD /d 1 /f
  2⤵
  PID:2216
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v NVFBCEnable /t REG_DWORD /d 1 /f
  2⤵
  PID:4576
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v AllowMaxPerf /t REG_DWORD /d 1 /f
  2⤵
  PID:4744
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v EnableMemoryTiling /t REG_DWORD /d 0 /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v EnableSystemMemoryTiling /t REG_DWORD /d 0 /f
  2⤵
  PID:3792
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v MonitorLatencyTolerance /t REG_DWORD /d 1 /f
  2⤵
  PID:1108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v MonitorRefreshLatencyTolerance /t REG_DWORD /d 1 /f
  2⤵
  PID:2084
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Keyboard" /v KeyboardDelay /t REG_SZ /d 0 /f
  2⤵
  PID:756
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Keyboard" /v KeyboardSpeed /t REG_SZ /d 31 /f
  2⤵
  PID:2364
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_SZ /d 0 /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v AttractionRectInsetInDIPS /t REG_DWORD /d 0 /f
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v DistanceThresholdInDIPS /t REG_DWORD /d 0 /f
  2⤵
  PID:1824
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v MagnetismDelayInMilliseconds /t REG_DWORD /d 1 /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v MagnetismUpdateIntervalInMilliseconds /t REG_DWORD /d 1 /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v VelocityInDIPSPerSecond /t REG_DWORD /d 0 /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v MouseDataQueueSize /t REG_DWORD /d 40 /f
  2⤵
  PID:4376
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v KeyboardDataQueueSize /t REG_DWORD /d 40 /f
  2⤵
  PID:5048
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_SZ /d 27 /f
  2⤵
  PID:3448
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v DelayBeforeAcceptance /t REG_SZ /d 0 /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v BounceTime /t REG_SZ /d 0 /f
  2⤵
  PID:4772
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Last BounceKey Setting" /t REG_DWORD /d 0 /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Delay" /t REG_DWORD /d 0 /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Repeat" /t REG_DWORD /d 0 /f
  2⤵
  PID:4596
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Wait" /t REG_DWORD /d 0 /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v KeyboardDelay /t REG_DWORD /d 0 /f
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v AutoRepeatDelay /t REG_SZ /d 180 /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response" /v AutoRepeatRate /t REG_SZ /d 2 /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Input\Settings" /v InsightsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USB" /v DisableSelectiveSuspend /t REG_DWORD /d 1 /f
  2⤵
  PID:640
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Wisp\Touch" /v TouchGate /t REG_DWORD /d 0 /f
  2⤵
  PID:3888
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v Beep /t REG_SZ /d "No" /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v ExtendedSounds /t REG_SZ /d "No" /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Sound" /v Beep /t REG_SZ /d "no" /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Sound" /v ExtendedSounds /t REG_SZ /d "no" /f
  2⤵
  PID:1764
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v MouseWheelRouting /t REG_DWORD /d 0 /f
  2⤵
  PID:4496
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v CursorSensitivity /t REG_DWORD /d 2710 /f
  2⤵
  PID:4300
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v CursorUpdateInterval /t REG_DWORD /d 1 /f
  2⤵
  PID:1016
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v IRRemoteNavigationDelta /t REG_DWORD /d 1 /f
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\Buttons" /v HardwareButtonsAsVKeys /t REG_DWORD /d 0 /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v DesktopHeapLogging /t REG_DWORD /d 0 /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v DwmInputUsesIoCompletionPort /t REG_DWORD /d 0 /f
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v EnableDwmInputProcessing /t REG_DWORD /d 0 /f
  2⤵
  PID:1992
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid\Parameters" /v TreatAbsolutePointerAsAbsolute /t REG_DWORD /d 1 /f
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid\Parameters" /v TreatAbsoluteAsRelative /t REG_DWORD /d 0 /f
  2⤵
  PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$devices = Get-WmiObject Win32_PnPEntity; $powerMgmt = Get-WmiObject MSPower_DeviceEnable -Namespace root\wmi; foreach ($p in $powerMgmt){$IN = $p.InstanceName.ToUpper(); foreach ($h in $devices){$PNPDI = $h.PNPDeviceID; if ($IN -like \"*$PNPDI*\"){$p.enable = $False; $p.psbase.put()}}}"
  2⤵
  PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_USBHub GET DeviceID| FINDSTR /L "VID_"
  2⤵
  PID:3748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_USBHub GET DeviceID
    3⤵
    PID:1844
- - C:\Windows\system32\findstr.exe
    FINDSTR /L "VID_"
    3⤵
    PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -executionpolicy bypass -c "$power_device_enable = Get-WmiObject MSPower_DeviceEnable -Namespace root\wmi; $usb_devices = @(\"Win32_USBController\", \"Win32_USBControllerDevice\", \"Win32_USBHub\"); foreach ($power_device in $power_device_enable) { $instance_name = $power_device.InstanceName.ToUpper(); foreach ($device in $usb_devices) { foreach ($hub in Get-WmiObject $device) { $pnp_id = $hub.PNPDeviceID; if ($instance_name -like \"*$pnp_id*\") { $power_device.enable = $False; $power_device.psbase.put(); }}}}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1564
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf" /v NoExtraBufferRoom /t REG_DWORD /d 1 /f
  2⤵
  PID:4120
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB" /v AllowIdleIrpInD3 /t REG_DWORD /d 0 /f
  2⤵
  PID:444
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB" /v EnhancedPowerManagementEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1240
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0000" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0001" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0002" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1592
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0003" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:3996
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0004" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0005" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0006" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1956
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0007" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0008" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0009" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:3216
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0010" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0011" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0012" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:3988
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0013" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0014" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0015" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4080
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0016" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4524
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0017" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2444
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0018" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4708
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0019" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4584
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0020" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0021" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1424
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0022" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4528
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0023" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:3180
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0024" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:676
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0025" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0026" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:760
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0027" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0028" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4360
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0029" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:1544
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0030" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0031" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\USB\0032" /v IdleEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FLxHCIc\Parameters" /v BulkInRingBuffers /t REG_DWORD /d 256 /f
  2⤵
  PID:4644
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FLxHCIc\Parameters" /v U1U2LowPower /t REG_DWORD /d 0 /f
  2⤵
  PID:4592
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\USB\AutomaticSurpriseRemovals" /v AttemptRecoveryFromUsbPowerDrain /t REG_DWORD /d 0 /f
  2⤵
  PID:3312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg /getactivescheme
  2⤵
  PID:2252
- - C:\Windows\system32\powercfg.exe
    powercfg /getactivescheme
    3⤵
    - Power Settings
    PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
  2⤵
  - Power Settings
  PID:4692
- - C:\Windows\system32\powercfg.exe
    powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
    3⤵
    - Power Settings
    PID:1012
- C:\Windows\system32\powercfg.exe
  powercfg /setactive
  2⤵
  PID:4812
- C:\Windows\system32\powercfg.exe
  powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
  2⤵
  PID:3380
- C:\Windows\system32\powercfg.exe
  powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
  2⤵
  - Power Settings
  PID:3124
- C:\Windows\system32\powercfg.exe
  powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
  2⤵
  - Power Settings
  PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings /s /v "Attributes"|findstr HKEY_
  2⤵
  PID:3496
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings /s /v "Attributes"
    3⤵
    PID:4976
- - C:\Windows\system32\findstr.exe
    findstr HKEY_
    3⤵
    PID:3116
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\0b2d69d7-a2a1-449c-9680-f91c70521c60 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1752
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\51dea550-bb38-4bc4-991b-eacf37be5ec8 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4356
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\80e3c60e-bb94-4ad8-bbe0-0d3195efc663 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\d3d55efd-c1ff-424e-9dc3-441be7833010 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3724
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\d639518a-e56d-4345-8af2-b9f32fb26109 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2104
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\dab60367-53fe-4fbc-825e-521d069d2456 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3688
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\dbc9e238-6de9-49e3-92cd-8c2b4946b472 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\fc7372b6-ab2d-43ee-8797-15e9841f2cca /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\fc95af4d-40e7-4b6d-835a-56d131dbc80e /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4052
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0d7dbae2-4294-402a-ba8e-26777e8488cd\309dce9b-bef4-4119-9921-a851fb12f0f4 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0E796BDB-100D-47D6-A2D5-F7D2DAA51F51 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:740
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\1A34BDC3-7E6B-442E-A9D0-64B6EF378E84 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3796
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\25DFA149-5DD1-4736-B5AB-E8A37B5B8187 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1236
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2132
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1496
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\9d7815a6-7ee4-497e-8888-515a05f02364 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\A4B195F5-8225-47D8-8012-9D41369786E2 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:376
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\abfc2519-3608-4c2a-94ea-171b0ed546ab /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3888
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\245d8541-3943-4422-b025-13a784f679b7 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\0853a681-27c8-4100-a2fd-82013e970683 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\498c044a-201b-4631-a522-5c744ed4e678 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:5064
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2E601130-5351-4d9d-8E04-252966BAD054\3166BC41-7E98-4e03-B34E-EC0F5F2B218E /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4616
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2E601130-5351-4d9d-8E04-252966BAD054\C36F0EB4-2988-4a70-8EEE-0884FC2C2433 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4136
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2E601130-5351-4d9d-8E04-252966BAD054\C42B79AA-AA3A-484b-A98F-2CF32AA90A28 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2E601130-5351-4d9d-8E04-252966BAD054\D502F7EE-1DC7-4EFD-A55D-F04B6F5C0545 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:644
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E\2BFC24F9-5EA2-4801-8213-3DBAE01AA39D /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1792
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E\73CDE64D-D720-4bb2-A860-C755AFE77EF2 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4684
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E\D6BA4903-386F-4c2c-8ADB-5C21B3328D25 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2192
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\5ca83367-6e45-459f-a27b-476b1d01c936 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\7648efa3-dd9c-4e3e-b566-50f929386280 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4208
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\833a6b62-dfa4-46d1-82f8-e09e34d029d6 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2148
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\96996bc0-ad50-47ec-923b-6f41874dd9eb /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1068
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\99ff10e7-23b1-4c07-a9d1-5c3206d741b4 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\4faab71a-92e5-4726-b531-224559672d19 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\06cadf0e-64ed-448a-8927-ce7bf90eb35d /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\06cadf0e-64ed-448a-8927-ce7bf90eb35e /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4020
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318584 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4352
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\12a0ab44-fe28-4fa9-b3bd-4b64f44960a6 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\12a0ab44-fe28-4fa9-b3bd-4b64f44960a7 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1060
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\1facfc65-a930-4bc5-9f38-504ec097bbc0 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\2430ab6f-a520-44a2-9601-f7f23b5134b1 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3536
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\2ddd5a84-5a71-437e-912a-db0b8c788732 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\36687f9e-e3a5-4dbf-b1dc-15eb381c6863 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3720
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\36687f9e-e3a5-4dbf-b1dc-15eb381c6864 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1872
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1900
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4009efa7-e72d-4cba-9edf-91084ea8cbc3 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\40fbefc7-2e9d-4d25-a185-0cfd8574bac6 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\40fbefc7-2e9d-4d25-a185-0cfd8574bac7 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3128
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\447235c7-6a8d-4cc0-8e24-9eaf70b96e2b /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\447235c7-6a8d-4cc0-8e24-9eaf70b96e2c /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2568
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\45bcc044-d885-43e2-8605-ee0ec6e96b59 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3736
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\465e1f50-b610-473a-ab58-00d1077dc418 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1564
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\465e1f50-b610-473a-ab58-00d1077dc419 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4120
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4b92d758-5a24-4851-a470-815d78aee119 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1736
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4bdaf4e9-d103-46d7-a5f0-6280121616ef /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:444
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4d2b0152-7d5c-498b-88e2-34345392a2c5 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4e4450b3-6179-4e91-b8f1-5bb9938f81a1 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1968
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\5d76a2ca-e8c0-402f-a133-2158492d58ad /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1592
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\616cdaa5-695e-4545-97ad-97dc2d1bdd88 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3996
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\616cdaa5-695e-4545-97ad-97dc2d1bdd89 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\619b7505-003b-4e82-b7a6-4dd29c300971 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\619b7505-003b-4e82-b7a6-4dd29c300972 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1956
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\6c2993b0-8f48-481f-bcc6-00dd2742aa06 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\71021b41-c749-4d21-be74-a00f335d582b /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\75b0ae3f-bce0-45a7-8c89-c9611c25e100 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3216
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\75b0ae3f-bce0-45a7-8c89-c9611c25e101 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7b224883-b3cc-4d79-819f-8374152cbe7c /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7d24baa7-0b84-480f-840c-1b0743c00f5f /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7d24baa7-0b84-480f-840c-1b0743c00f60 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2360
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7f2492b6-60b1-45e5-ae55-773f8cd5caec /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2256
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7f2f5cfa-f10c-4823-b5e1-e93ae85f46b5 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2680
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964d /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3900
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\8baa4a8a-14c6-4451-8e8b-14bdbd197537 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1052
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\93b8b6dc-0698-4d1c-9ee4-0644e900c85d /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:544
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1328
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\97cfac41-2217-47eb-992d-618b1977c907 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\984cf492-3bed-4488-a8f9-4286c97bf5aa /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1424
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\984cf492-3bed-4488-a8f9-4286c97bf5ab /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4528
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\9943e905-9a30-4ec1-9b99-44dd3b76f7a2 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3180
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\b000397d-9b0b-483d-98c9-692a6060cfbf /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:676
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\bae08b81-2d5e-4688-ad6a-13243356654b /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\bc5038f7-23e0-4960-96da-33abaf5935ed /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\c4581c31-89ab-4597-8e2b-9c9cab440e6b /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:760
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\c7be0679-2817-4d69-9d02-519a537ed0c6 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1544
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\cfeda3d0-7697-4566-a922-a9086cd49dfa /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\d8edeb9b-95cf-4f95-a73c-b061973693c8 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\d8edeb9b-95cf-4f95-a73c-b061973693c9 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\dfd10d17-d5eb-45dd-877a-9a34ddd15c82 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4644
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\e0007330-f589-42ed-a401-5ddb10e785d3 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4592
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\ea062031-0e34-4ff1-9b6d-eb1059334028 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3312
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\ea062031-0e34-4ff1-9b6d-eb1059334029 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4440
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\f735a673-2066-4f80-a0c5-ddee0cf1bf5d /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2128
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\f8861c27-95e7-475c-865b-13c0cb3f9d6b /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3316
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\fddc842b-8364-4edc-94cf-c17f60de1c80 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3476
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\5FB4938D-1EE8-4b0f-9A3C-5036B0AB995C\DD848B2A-8A5D-4451-9AE2-39CD41658F6C /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\68AFB2D9-EE95-47A8-8F50-4115088073B1 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2556
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\17aaa29b-8b43-4b94-aafe-35f64daaf1ee /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4872
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1960
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\684C3E69-A4F7-4014-8754-D45179A56167 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2084
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\8EC4B3A5-6868-48c2-BE75-4F3044BE88A7 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\90959d22-d6a1-49b9-af93-bce885ad335b /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\A9CEB8DA-CD46-44FB-A98B-02AF69DE4623 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\aded5e82-b909-4619-9949-f5d71dac0bcb /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1824
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\f1fbfde2-a960-4165-9f88-50667911ce96 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4976
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\FBD9AA66-9553-4097-BA44-ED6E9D65EAB8 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:796
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\468FE7E5-1158-46EC-88BC-5B96C9E44FD0 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\49CB11A5-56E2-4AFB-9D38-3DF47872E21B /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\5ADBBFBC-074E-4da1-BA38-DB8B36B2C8F3 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\60C07FE1-0556-45CF-9903-D56E32210242 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4376
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\82011705-FB95-4D46-8D35-4042B1D20DEF /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:5048
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\9FE527BE-1B70-48DA-930D-7BCF17B44990 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4132
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619B916-E004-4dd8-9B66-DAE86F806698\C763EE92-71E8-4127-84EB-F6ED043A3E3D /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2528
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\DE830923-A562-41AF-A086-E3A2C6BAD2DA /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\DE830923-A562-41AF-A086-E3A2C6BAD2DA\13D09884-F74E-474A-A852-B6BDE8AD03A8 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:2208
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\DE830923-A562-41AF-A086-E3A2C6BAD2DA\5C5BB349-AD29-4ee2-9D0B-2B25270F7A81 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\DE830923-A562-41AF-A086-E3A2C6BAD2DA\E69653CA-CF7F-4F05-AA73-CB833FA90AD4 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4596
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\5dbb7c9f-38e9-40d2-9749-4f8a0e9f640f /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\637ea02f-bbcb-4015-8e2c-a1c7b9c0b546 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\8183ba9a-e910-48da-8769-14ae6dc1170a /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\9a66d8d7-4ff7-4ef9-b5a2-5a326ca2a469 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\bcded951-187b-4d05-bccc-f7e51960c258 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:4108
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\d8742dcb-3e6a-4b3c-b3fe-374623cdcf06 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:1748
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\F3C5027D-CD16-4930-AA6B-90DB844A8F00 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:640
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\F15576E8-98B7-4186-B944-EAFA664402D9 /v Attributes /t REG_DWORD /d 0 /f
  2⤵
  PID:3948
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  PID:4800
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82BE-4824-96C1-47B60B740D00 4B92D758-5A24-4851-A470-815D78AEE119 100
  2⤵
  - Power Settings
  PID:1796
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82BE-4824-96C1-47B60B740D00 7B224883-B3CC-4D79-819F-8374152CBE7C 100
  2⤵
  - Power Settings
  PID:1764
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 501a4d13-42af-4429-9fd1-a8218c268e20 ee12f906-d277-404b-b6da-e5fa1a576df5 0
  2⤵
  PID:4496
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 d4e98f31-5ffe-4ce1-be31-1b38b384c009 0
  2⤵
  PID:4300
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 94ac6d29-73ce-41a6-809f-6363ba21b47e 0
  2⤵
  PID:1016
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 0
  2⤵
  - Power Settings
  PID:4952
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 0
  2⤵
  PID:1720
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 abfc2519-3608-4c2a-94ea-171b0ed546ab 0
  2⤵
  - Power Settings
  PID:4276
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 2e601130-5351-4d9d-8e04-252966bad054 d502f7ee-1dc7-4efd-a55d-f04b6f5c0545 0
  2⤵
  PID:4188
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 06cadf0e-64ed-448a-8927-ce7bf90eb35d 0
  2⤵
  - Power Settings
  PID:1992
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 06cadf0e-64ed-448a-8927-ce7bf90eb35e 0
  2⤵
  PID:1432
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb 0
  2⤵
  - Power Settings
  PID:1112
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 619b7505-003b-4e82-b7a6-4dd29c300971 0
  2⤵
  - Power Settings
  PID:1100
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 619b7505-003b-4e82-b7a6-4dd29c300972 0
  2⤵
  - Power Settings
  PID:2260
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 7516b95f-f776-4464-8c53-06167f40cc99 17aaa29b-8b43-4b94-aafe-35f64daaf1ee 0
  2⤵
  PID:2480
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 7516b95f-f776-4464-8c53-06167f40cc99 3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e 0
  2⤵
  - Power Settings
  PID:2492
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 637ea02f-bbcb-4015-8e2c-a1c7b9c0b546 0
  2⤵
  PID:2856
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT fea3413e-7e05-4911-9a71-700331f1c294 68afb2d9-ee95-47a8-8f50-4115088073b1 0
  2⤵
  - Power Settings
  PID:2908
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0
  2⤵
  PID:2840
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 fc95af4d-40e7-4b6d-835a-56d131dbc80e 0
  2⤵
  PID:240
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 bc5038f7-23e0-4960-96da-33abaf5935ed 100
  2⤵
  - Power Settings
  PID:188
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 9596fb26-9850-41fd-ac3e-f7c3c00afd4b 34c7b99f-9a6d-4b3c-8dc7-b6693b78cef4 0
  2⤵
  PID:1060
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 a55612aa-f624-42c6-a443-7397d064c04f 0
  2⤵
  - Power Settings
  PID:4980
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 ea062031-0e34-4ff1-9b6d-eb1059334028 100
  2⤵
  PID:3396
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 be337238-0d82-4146-a960-4f3749d470c7 2
  2⤵
  PID:2176
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 d639518a-e56d-4345-8af2-b9f32fb26109 0
  2⤵
  - Power Settings
  PID:3720
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 d3d55efd-c1ff-424e-9dc3-441be7833010 0
  2⤵
  PID:1872
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 fc7372b6-ab2d-43ee-8797-15e9841f2cca 0
  2⤵
  - Power Settings
  PID:1900
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 0d7dbae2-4294-402a-ba8e-26777e8488cd 309dce9b-bef4-4119-9921-a851fb12f0f4 1
  2⤵
  PID:2888
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 0853a681-27c8-4100-a2fd-82013e970683 0
  2⤵
  - Power Settings
  PID:2852
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 5dbb7c9f-38e9-40d2-9749-4f8a0e9f640f 0
  2⤵
  PID:3128
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 36687f9e-e3a5-4dbf-b1dc-15eb381c6863 0
  2⤵
  - Power Settings
  PID:1468
- C:\Windows\system32\powercfg.exe
  powercfg /setacvalueindex SCHEME_CURRENT 54533251-82be-4824-96c1-47b60b740d00 40fbefc7-2e9d-4d25-a185-0cfd8574bac6 2
  2⤵
  - Power Settings
  PID:2568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k PeerDist -s PeerDistSvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Remote Services

T1021

SMB/Windows Admin Shares

T1021.002

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ea24fa6b0e976f32cd17d7199e95a88f

SHA1
a4713259491dfd35b99595c46f45a8bde7d55448

SHA256
599f2092a179c8667e123af2c5a83fe3af9ecdebc9b7ebfcf6ab946c1f63c3c5

SHA512
dfc54c1e79061fe6e9e64a61ec64e15a86ab9634769402047701e2aed855a3c2fa68e8379080a764ba6ed676be90149bcf7340ca2e4b615d1213421612a3e06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
906bffa24bab6c7b89fe155b53eecbcc

SHA1
881dacc5e275991e85bb1b21446fe54f83392786

SHA256
00c8afd58fec3d1440af7abd7bc79c97c568f4a2c5564c69f6f5a53d02ec8a9a

SHA512
efb2d414500a506ecda5a8a68cb45e17ecc55ba94d79c7b608efd6e2cecbe72ae99c02d5f110e200de1294b869f0848838d1f8aff3b3560b09b5e2cacdcd2278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f5d13e6d426a90891bf90dd83a20f74

SHA1
5c18c38a368a3d1e3a5e56162139aa0faf720d5b

SHA256
a83829a0850ce6b039a68eba1249c8cbad94ebf0e1e06f0a3ac87e8bf26f4dd7

SHA512
44a9a432600eb8b8539c39797cb207d6e69b9e74fb08b39354bb43afb05d1788046afe0ef4680b060ef5f197ce4e254fa8388ec4bfb30c256da09c8d9eb00209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cfb016b5c813a7cdb8a3fcf488f99177

SHA1
9c6f723a5e27f9967d86e326b0ebf42209733c04

SHA256
d949d8c0da8324c876e3fbd7ad6fd3459f3d498bf739989b55f77264007378b2

SHA512
636a27899a93f1582d60888592e63fdfeb086568cea2a12969091e527fa65c1dbcd9b2a37742a95b0e2fb444c414d635755845b275e7abad35c4e4becc7f9bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff584e2453ee413bf223ca645fcc92f4

SHA1
155160f02366fcf4831e64caa0c07058c5e3cc8c

SHA256
84ac1a89ad62f0ce344720febdbd466f27abbced26a41014eccc66f9cd3e4f99

SHA512
13fc09ccdb11127a7298ae88b3d7714ba8b8c5859c61c9e7cb9383921d7bf5bf2e7a14cae3fb11bc4680e28e3bc97c5e10d82e631afb8d204476fac2d39510f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
919599e76b67de548b8d854d85f14ba1

SHA1
2c54e4b6b361c5d397fac495f978d8f48354653b

SHA256
4653d032adf289c97d902e1a275dab34008ad1cce244a3b1bd5f9f69ec890316

SHA512
217bc83744b24030c7143051808ce23ddd9f06c93906e16190a90cb1531d4220dc5a54308ea7964a78c5d885674efd327959f3b75f8c37ab1a7fb1dbafcb5f01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3e43ca6074bfd9ef6058304b52937a52

SHA1
46cdd3b63d4d01f5f36e8121c732821d6a2bd28d

SHA256
0b50eec96e70f7ec4ee7ba950b13ab0757b0b6b6299224b0f62a785a41a6e452

SHA512
78c8046877d53881630a52e0d55ab36d1db6f53e7fc08d5917598b8f89b08e05416a3e1b23f12dad9e18037d337ff0623a72fdb9bc5916bb0b305dde30e3a445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c839528cb7a635a99957ed23d2bb0eff

SHA1
4f37e534737e4512af6ea4d1ee9edeb0aaef01de

SHA256
c70ba8e262a8992c4ad61814f34fddcb99ace6a1d4eddc83c78b599439bb4592

SHA512
8de5565dbc01adcbfb0edf9af6b85f12814c362b3e5ee4e3b53226288bbfb4e605f824b56c79422fbe19a0f43274aebc721c8ecec2c50a6a522de6fe3983ac0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4622763e3e8ec5205cc8242b311a80f

SHA1
3ed09ba1a52c76181e897353e514d20c87102b91

SHA256
5cbace1197277c327a15033ec000cd477eea554241f8d34cfaa2a9b6f86f6923

SHA512
9bd4f2b1cacf74b045dbe653a1a2681b0ec699f6ffb754ce7f3f16b584320617d494118f467f13dacb27404229ddae720a7916f861253c325d980f92aeabfa1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
96ea582e38abb23fd09e6ac189026b1c

SHA1
2f87f6da72339088c39e80355d6a19ed418138b9

SHA256
c296d43cbbeec21d7ae5f4b732b971728bbdf545c7f34c20f0e02e43e78f8835

SHA512
fe037024c624c016bea228233819594e10e0e9f62d7475651c4b5390cc439236dd20f0598b3aa9aa04eaac027ef19fbb61adc529e882adb6baf74675c8680739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8146ea1378cac6a134be7895a77f0b09

SHA1
0ebbfdeaceb956866bd78d6ad5c9f48dd55d9718

SHA256
0819508e5b8b54299ee2775f0dea9f00f4219e8495d1825cc620d39840b096d7

SHA512
a979b852496cad88b96863c798100eebd7682169397fc829093671a69a4098d61a91896e5ce2e7bb78e93f2126b2f0784905e0ef2dd1ab530dce0ee78d67cb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a09543a77f0d3e4a84cd8150f532332

SHA1
fa4f725b4fd1ca445bfdbca557466d0e15139374

SHA256
02a0998af1dcc15a734fe3a26e800096da97b5195f924b030c1d60e791639a31

SHA512
185d9dec3e2635872d4e0295f281a2ebb32461fbc9a6d9b3a350834c49d1cfa5a1e0211e263c6041e69725543b44661909857886ea5776f10575b67f0f47a45a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8bd3e48b83ce1373dd5608cfc1188e6a

SHA1
e327653451633cb549ccac0f197bffcbb30fb67b

SHA256
2a98935593d4cc6ed9182e16472e0684068adc0e5d1d1bbd5f35a9ed53d9e342

SHA512
61774139fb1df113c74317250b5aa611b5673ae4f246273bb91165f08c89fd60a3d2a0907e24adca284fd545a785231be73805a2e5885d7f9e0984801f23d3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9bb01be58523224a125a22b6b335dd98

SHA1
d54f18b0f2a8051e926e809743390bba1f7744ef

SHA256
2d5f9a777fcc8058e465d84882b81f5e5650021b33b57bfbbddcb9c323c561bd

SHA512
acb1232d7aad938c9eeeb0496fc38b7c2396fbda5ae7e5063eea89c6e2c2e77b7047491fe2ae2cbb21fee93ac249097d8f01696e03928d8e90bf14644c92af9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
590e0b270ac007f95b12db8bbf8de0ca

SHA1
b3a959ab408a306560075ba541926958754806b7

SHA256
5387647a948b835845f8ab362c809ea2d6b455bccca5e05066d570d0183aa459

SHA512
fec8478a1728184bea044ae80554b46638ea54bf30ca219be6e1a37d8ff835984e61ff76b44c7a468c88640fe7ac547ae3d3b0de10bb9612254970f8d2d09ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d94a71af6297ee5fc37769fdadc3059

SHA1
43238cd69a5a6088732fbcf8bb22b0481f1b7414

SHA256
abfaf53e6b7bdcdf31a4993b5ea74d05d4b2470dfc6ca7f9f558dd42442bd806

SHA512
da8d2a0dc711c75e2674c7810b6548e588362368a43d9ded35215d26ef481799a11146cb69dbfc5d8436ea9b5b86be0383554e94621cec59f441c0fc21526fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e664c46c9ed8c4a84e1f030247676ca

SHA1
795e197d0525d5749524eeff040ee2de5bd758a6

SHA256
d5be89d283824befecf6c2e6abc46dc373bb08ec789c72fc98d7e0d191bd5492

SHA512
8f410ace5e217688549836096961aca91436292e1e939a6830446c86ffbfbd3d7cdcf5d8a13b2c1f06daaedb212b7cb3ad671f2b357bf7beedd469c2aff50fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3707239ac9f830d19991c52b508ebf6e

SHA1
493893744998a614379e66f64ee12a1630f4ac6b

SHA256
773f69db5ac2040c04a6ba6bf2216e0ac6cc736402edbc886a559f0ccb65dab2

SHA512
4d83484e9e36c826ecfd3dfafb651d1581823eeb22ad37c366ed790d4be8daa5430b682d019b2d7e966ca14f6ccabd99af9e9525d3ed76c6020ef7368118aaf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0dce41b0d2aeabd299665744079e22c

SHA1
a06e6855e6d6133aabc0a7552f145b11f889b3ca

SHA256
e3a4d2bf02f5bfc9ece5286829b2b1b8eb0ffa064b97eb11f418ff1922ffe048

SHA512
89591ce74c682f13c031ef3e532bc714196ff8f3cc3fbed76993b7c7818528e800b54bc0efa2308a6b91f08552c709b386c02a231b2e8eed421e2c248dd72845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
432d8cb30a196445ff6397a0bfb0dac2

SHA1
991c48a331d2204e90f3609fba14bfc647b1e87e

SHA256
51637f065a0112e97fc31ed7488814bab6fda85f563f90965ddc6aa03288161d

SHA512
0d3bf8adf4d1fa1c462706151a2ca74b3f304989bec0f921227f5677c15afccfefbacfafee12f29f2e05f11f6e50a5256c9773a2dbae4dbccb94fb63ec473aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
31156d14115982750ce59fa64dc75b05

SHA1
f8734fd543bcf8f585e5cd22ea61b7398ab67aad

SHA256
f44b96ee7fd42e9e94a697d3af602d62fd0d8570607ba6cb84ef7a38f9242db9

SHA512
89795ee32af6e99ee3a3a97a302b7341a6efe0cc0a0539de902e9246e28fe2ad95f35277d64e0ea0fe6097600a02a1a673375bdc2607cc772c91025e5e5eb375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
093eb1af2f835fcae1936d2f27cc552d

SHA1
9294e5f6ceebf48e8cc54ca0c6b096d6ee030132

SHA256
aae7f0add6b6b2b5edc0068b0da75f8fc6eda6482bfd1171f367945c67b92f46

SHA512
dbddf588abb5cb1252e5e85d0fbd8462cc165de2544959b05a832d9709708c7b52738b6bc7ce4abd58014651fee6bcca9916ee16915a235fe8884ab14b1a22c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1deacabc598501dd4e6fa16991cf1e74

SHA1
bce3173f6cd8fd84e7f798f734a11585f4f88cbb

SHA256
103a568bdb10519cd8d79779496c9bfca70a11207d1a43a959fb3b12580c16a0

SHA512
2548e5298dca4bf406d9b90902fa00aefee374f61d7e893744ba9d0b221aab87be263507b2f5af11ff87e80ce89dd021e754a9d37d902b16150f91cb92f56e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a95128407cf30a722bdb97a20c83d2f4

SHA1
ec2564736506aa10f6e5376dc9fc4a59f4f6becd

SHA256
4004ef35cdcd995cf0dc4fa17317ef76ae9ea66884ea2db0d974a5e36e56f04e

SHA512
a2ae4a246f973c60f3d6f4357dfc38053a98ddd277d31980d2fa91af69005d8efa4d0891111e93414991c36be95686afed47b6557f99c7fd41f5df4da247aae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c3242d44b3b387691117b489e41c35

SHA1
08a17040fe9d0666432e8610b46f81a2885cccbd

SHA256
db74e4f4f6fe85fb0298fc02221b91d3d8b1ba43fac46a16f22fa8b91524d8c2

SHA512
0ebc4bd0285ada69a0b17c4a0fa2a58b5181a1222242777c57d819c2c78774c5d8bbe0f7a2b56ddb3cd43a4754922fbf768a713b21c63e331152d3813a800f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
977f9ebcc6b58f2fbaf72fad8e9ea66e

SHA1
6420cf44f438bc380c0d1c958f1d01dfc4007705

SHA256
7b519cfba092f484db805cc4602839c94a74d1eb2f1679f5a662bcc6f33af893

SHA512
8cda6276979d69766ad30f4c836eb00f726bd46f940c7c25a09c9ae1409f35b83802a13002d4100d7c7bd08d4ad6fbdde41cb5e53989dbb2149020b88e1e15b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f027250a1528fbbca05fcfb996e9caae

SHA1
54c319eeb84072c9dacb6151f980f7f22a91977e

SHA256
7fb7d4324f0d22569f52db749f176692fd77421d97384895dd09d715399068b3

SHA512
c10bca083fee82aa7aa6fd54a1599199dbf93b4f0a7e04eca6dcacfc948c09451da3b6d01698ec314602358499caa467059de7da6893c5e71b17b596108f4422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bab97ff4f9721593b7f9e5dd06f2a625

SHA1
369898718d6624c511df1baef103d2876e54200e

SHA256
5ad2a39043a40253d1b3deb2ad7bb09e07dbf1186d91c0c4363fc38b636b019b

SHA512
b7f7a5d06307a37511ba6467ac6b6aeb69aedf5d922c795f906db186998cdfbdd75e9a3e006bdb60ea0536d7680c148abdb3d8dbc237cd264fd554ad2699b3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee6dc7a3c98d288382234c5faa724c30

SHA1
26422842f579561808d6d08ef2158b390a9c9c95

SHA256
80bb0bd2adc1a5643d1c1a8896ecfaf1a5aedeacd3c4b883fe0c89fc16c4b5a7

SHA512
813eff5e3bd32ea125a562612a6f0e3d4f42a437018eaf57db81a8ef0e3dcd12cdfec6e5f012b63a171176baafba17407b815a2c005e667f606a0cd3c4ea54af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
843ce1f335948c5490b5230510dc8cf4

SHA1
ec70606f5b4b49bed496c7fad74198df7bacc37f

SHA256
a9016943736a42580695af7f5cf5a0e47713cce906c3b7b6f54458b4779a3066

SHA512
71ab49f5dade460eea2d0fd52d62d8841d3175c32b1c2b51959c59671e6c0a0582adf465225f23fd983ac8949ee37f39384f75d0d663a8515443d1194200218a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c62c106af2d2ab5df0f380ec342dd44f

SHA1
f7e5952324f2029238336c9278042f31e036edf0

SHA256
febe4a0c5d9c9f024a4d3ff96e0693eee8c3c17ef3108207fbbcb5effcfa863e

SHA512
e4aa8e4cd7c94a883a2076cceae6ba4f7dd423868808d2c9d2bb4893c357dbbfb0b1ae28a7c4add7859b6b08b8c2eb1da182f93e95af1d3de341a952499d3028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
454c66196b27d76b30e89e3e87fad8d0

SHA1
8ea2db77411f62e3c4188f0f96de2dcab34d65e5

SHA256
12499d40589823ed5621d4be29d839d890ec57c47e4340ed5d299df08b5af81b

SHA512
516dc6043e6ed3ae07d1852c3e6527762ea168ec4852d69aca2acdf7d275186c3c7ea7af59849b5bd85ba6e8068d1aaca77f081489203e770eb3642b5bd44ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
052173cc87a1092098e50c33c7fdac4d

SHA1
19115c51551c73575482f74691ed563b1eb90b9c

SHA256
9722823c80d189fcf4682af36458c48194558e79d088e09b487e8913edb8ea4f

SHA512
c88c8e6bf27489834df6831381587840c8da576b506dc2d0d4bbbd228650db8f7694c13cb27f153c2860d215360ef1c4548d6021b1d99da7c6014bc79b9670bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3609ddf3361108cf189f4db99ec89c68

SHA1
07c533f560bf629e9bb0ca227990eae7e42b1060

SHA256
d6a10785ce479680feaf60bdae195c33ba7d45d32e84fb3f7e5966c677878e12

SHA512
0e5795db0d486f3b37892b69490973297ea80a3a0da1be8e8fb8ca66c3190a973518dd17fc438e40751a6b48e22340a065c2e8d5bda03e44cc4d5852199c43ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00e222c048958fa603072ae6beddba8b

SHA1
6923c346794846e45d3f01046e337312af97329c

SHA256
eaaadde59a31323f0161080ee57ad011ce5674ef738537b812cb158c641cfb9c

SHA512
5d57ad9340fef0d179e6765fa0012ca9ba97cb4e28621d6271e4d37d6cd5118e061a5676419dea50fe94b86325b76e0a6cf6a6c4f7346213539c67f6c58f7e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d123e4e1bd71fda92716430cab29ed17

SHA1
c7045814ff91a59cdc77d4c918d6182b1ef2f849

SHA256
4730c45f0bd7e5ed6a120a0e587d62bc21cf465c95ff8e30c5b678b9b590334b

SHA512
3aac0261b5d35f2446a91e4dc2cd2a7336b1119b6695d088ff3c7b95f3e47b5f0d43f8ba373dad8ac89e8be63fdb99ba4031bb4131abe7d10135901f9e4d9cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
68b61bd7522e579f418f67b7c6c19d87

SHA1
4a082e46c8b33a9c58cc4d9e7112aebcfedeaa3c

SHA256
4eccdc33b4a535ec0b370b0e565d3219346c5f3cf2eb0e2c0025fbfe9cfd7621

SHA512
6d505592acd48467bcfebfe58c497fdd70d655fbd96009044cc239ee827d13b71e39cd03cb49d1d11928877bdc09ce6f26a9e200f07dc386b24c7d781767a290

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ak5k3a0h.afz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.jfm

Filesize
16KB

MD5
fb26ec5d1c0f67255fa950f42df6035e

SHA1
c1fc05d8ae10e84e329a71e1f612f2f88a349886

SHA256
ca12a6378cc7726c452222a2df8ea09de64db7b7b26cc791d82c650771c2aaee

SHA512
7b058be2c72c460ac171dd73108d9d36c01ac187972ec06091fea69858a76142c143e79279ed9d14460b4332f713cf88cf3d3b2dbb5ddd992dd6fdf7975ec7fc

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds

Filesize
8.0MB

MD5
c513cfc30b56bbc7fd613dd376e17bfb

SHA1
34bcd3dec6baac19de054c9a72376f7016e49480

SHA256
16589f40678e9792eb450985fcf588b496fc66c0d845dea3922d2a380545e6b3

SHA512
cae842cfc24bb976fe103e81ce27e95668c4cc381e027037de369847c95e58f373124098b90e9e6bce198442f7d6627c7373ab4ee88ef99b949603832ce62aca

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.chk

Filesize
8KB

MD5
699707a584f4d5539d3dd2440904bc9c

SHA1
6ff119d8bfb08f484033fe077d4ccf6b475934d9

SHA256
506f81ef6772e1c3d9577c17999848028341c83706d1d66028dba5e538a08671

SHA512
39719f9e60e75b1c232f00f703b400f2350ed2df08a1ce8d28fbbd7c429707709dd4566e55d934c910137970dd9e20c1184e0cddd5a120e905b130ed7d97b4f6

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\edb.log

Filesize
5.0MB

MD5
9d43bf42ef2f70d8f6fb61d6528a15f8

SHA1
86bf7472cd564302c5e1b004b2e7a2a738b217fc

SHA256
f5380330eba9c5713f80e9883dc9b25a0a0dfde387d5cf9c62fb92d003f182ec

SHA512
c7fbce7298d20ceadbf29f2861630205a374e39a4abaeb928065eaa5e66975d010b3f1c212f62d6b72580cda11c02fe795fd9eececd9f71fb083cf26ccdfc22e

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.jfm

Filesize
392KB

MD5
741c7e3e4d1e24874063628153658f54

SHA1
d67eadfc07f871502b9f0eb5e3843b7aa054c735

SHA256
0e427178f51221c90c5ac004c2511526fc7347bf5bc99ebbd1af01fcf9dce168

SHA512
b471fd4d3c3db046b75d9e3e6b7f24b709feddf2c708513c7c4439ed92259589b4e79620dfa4859b728f394ea8c87e7c2cfc145a5d713602f3b772b02f3a1694

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds

Filesize
8.0MB

MD5
2e815c93daceb010eba7def147ee9ba3

SHA1
5de517336edf21b1e87c3e98441777cca3bc71ab

SHA256
18d4e119709f46b6c3bf14f196df7a8df7363c9e7cddc1eb942c596eea11d30d

SHA512
0014970498c9e6bff634be5dc66fc8c0b9a7eb503514b7f5a87f0ffb858c31ccd19209b840e24fc9ca133cc615fb7fa088430e2a91f92852180626bf81d55ea0

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\Store\GUID.dat

Filesize
18B

MD5
195a9efeabd422a1a294f4bbb4e43a75

SHA1
1a3b235ce5630a40c9035b3405b1bae9ca156af5

SHA256
7a04cd6e2457999211b87a2e3861dc504dfe540d755d472cfdc708da412736d7

SHA512
eb8415d204960f6ab977336cbb2ea5b69e149d75751d0d5b0cbee0d7aeefb18894a2300acdd87f4909ffeda987c2151d31193c1d599660d15ee05d25638d95ea

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.chk

Filesize
8KB

MD5
9e4f763dbfd85db37f64251de3b725ea

SHA1
85eb1d5c380c84044e66ea487eefca3c6d81565e

SHA256
70c0b982671e4dc0f4e8858af9b45398ea702721e288472d4a09ac59d3ba00af

SHA512
d6b105e17aae4ad14e0f5166d7e83da5e2cdfe6a9ae9133a180acfead493d2c54eced88e117a40652952403c5d65741033ca119c2841bee237ff0ed3670ea14e

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edb.log

Filesize
5.0MB

MD5
a585baa14a2488de4b8f0beb85f98804

SHA1
9955f3d78e5765ec4d62623cfd4f45a7cd82092d

SHA256
fe3ab237cc95278ee131eba5257bf4af8292f38557e52da57f0a8009d46d54c6

SHA512
b3a36af75693a9a3d5d8afd08509dfdee08ed48d764fbd6d4f458e07bf8e36835757d59cc3f426d85f679cee352c2bcf51f510852ee985c43fd83aceaab95634

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\edbtmp.log

Filesize
5.0MB

MD5
5f363e0e58a95f06cbe9bbc662c5dfb6

SHA1
2e95d7582c53583fa8afb54e0fe7a2597c92cbba

SHA256
c036cbb7553a909f8b8877d4461924307f27ecb66cff928eeeafd569c3887e29

SHA512
f1e554807f6e927530f7461e2ed5e8e3509c0245e082b2db5c88763a3764d1278b88d0d220f8b7050a71b2677e463fb7a3ad1d5b0fe6588c6ff18fddf977864c

Download Submit
memory/356-5-0x00000217643B0000-0x00000217643D2000-memory.dmp

Filesize
136KB

Download
memory/3776-663-0x000001E16CBA0000-0x000001E16CBC4000-memory.dmp

Filesize
144KB

Download
memory/3776-662-0x000001E16CBA0000-0x000001E16CBCA000-memory.dmp

Filesize
168KB

Download
memory/4668-638-0x00000166FEB10000-0x00000166FEB11000-memory.dmp

Filesize
4KB

Download
memory/4668-585-0x00000166FBC20000-0x00000166FBC30000-memory.dmp

Filesize
64KB

Download
memory/4668-623-0x0000016684730000-0x0000016684731000-memory.dmp

Filesize
4KB

Download
memory/4668-627-0x00000166FBF50000-0x00000166FBF51000-memory.dmp

Filesize
4KB

Download
memory/4668-605-0x00000166FE6A0000-0x00000166FE6A8000-memory.dmp

Filesize
32KB

Download
memory/4668-634-0x0000016684510000-0x0000016684511000-memory.dmp

Filesize
4KB

Download
memory/4668-631-0x00000166845B0000-0x00000166845B8000-memory.dmp

Filesize
32KB

Download
memory/4668-619-0x00000166846C0000-0x00000166846C8000-memory.dmp

Filesize
32KB

Download
memory/4668-618-0x00000166846A0000-0x00000166846A8000-memory.dmp

Filesize
32KB

Download
memory/4668-617-0x00000166846A0000-0x00000166846A8000-memory.dmp

Filesize
32KB

Download
memory/4668-606-0x00000166FE6A0000-0x00000166FE6A8000-memory.dmp

Filesize
32KB

Download
memory/4668-604-0x00000166FE550000-0x00000166FE558000-memory.dmp

Filesize
32KB

Download
memory/4668-602-0x00000166FE550000-0x00000166FE558000-memory.dmp

Filesize
32KB

Download
memory/4668-600-0x00000166FBF70000-0x00000166FBF71000-memory.dmp

Filesize
4KB

Download
memory/4668-616-0x00000166845B0000-0x00000166845B8000-memory.dmp

Filesize
32KB

Download
memory/4668-614-0x00000166845B0000-0x00000166845B8000-memory.dmp

Filesize
32KB

Download
memory/4668-591-0x00000166FBE50000-0x00000166FBE60000-memory.dmp

Filesize
64KB

Download
memory/4668-612-0x0000016684510000-0x0000016684511000-memory.dmp

Filesize
4KB

Download
memory/4668-607-0x00000166FE6D0000-0x00000166FE6D8000-memory.dmp

Filesize
32KB

Download
memory/4668-620-0x0000016684730000-0x0000016684738000-memory.dmp

Filesize
32KB

Download
memory/5096-1266-0x0000012667FD0000-0x0000012667FD8000-memory.dmp

Filesize
32KB

Download
memory/5096-1254-0x0000012667D00000-0x0000012667D08000-memory.dmp

Filesize
32KB

Download
memory/5096-1267-0x0000012669970000-0x0000012669978000-memory.dmp

Filesize
32KB

Download
memory/5096-1268-0x0000012669970000-0x0000012669978000-memory.dmp

Filesize
32KB

Download
memory/5096-1256-0x0000012667E50000-0x0000012667E58000-memory.dmp

Filesize
32KB

Download
memory/5096-1257-0x0000012667E80000-0x0000012667E88000-memory.dmp

Filesize
32KB

Download
memory/5096-1262-0x0000012667F90000-0x0000012667F91000-memory.dmp

Filesize
4KB

Download
memory/5096-1264-0x0000012667FD0000-0x0000012667FD8000-memory.dmp

Filesize
32KB

Download
memory/5096-1288-0x0000012667F80000-0x0000012667F81000-memory.dmp

Filesize
4KB

Download
memory/5096-1252-0x0000012667D00000-0x0000012667D08000-memory.dmp

Filesize
32KB

Download
memory/5096-1255-0x0000012667E50000-0x0000012667E58000-memory.dmp

Filesize
32KB

Download
memory/5096-1269-0x0000012669990000-0x0000012669998000-memory.dmp

Filesize
32KB

Download
memory/5096-1270-0x000001265DFE0000-0x000001265DFE8000-memory.dmp

Filesize
32KB

Download
memory/5096-1273-0x000001265DFE0000-0x000001265DFE1000-memory.dmp

Filesize
4KB

Download
memory/5096-1277-0x0000012662700000-0x0000012662701000-memory.dmp

Filesize
4KB

Download
memory/5096-1281-0x000001265DFE0000-0x000001265DFE8000-memory.dmp

Filesize
32KB

Download
memory/5096-1284-0x000001265DFE0000-0x000001265DFE1000-memory.dmp

Filesize
4KB

Download
memory/5096-1250-0x0000012662720000-0x0000012662721000-memory.dmp

Filesize
4KB

Download