16ed4d228a5113fce098e69d4471b0e5829797882ac3bb5b19c61277fda25b02

Analysis

max time kernel
92s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.bat
Size

72KB
MD5

9f14d8dad3856dfa4e9de47c35384059
SHA1

df9fc4c4ef86d9652495b80f8b78043692cd41db
SHA256

16ed4d228a5113fce098e69d4471b0e5829797882ac3bb5b19c61277fda25b02
SHA512

b2fb7562cc0819fe2bd0c4fbe16d10b44f112a11b7a0a7f097f4f0d61c5c1770b2ddb2ffa08fdc5b14a7603c0e2f10fa2dd445b7e23eeb55a98d8bd535f53d4d
SSDEEP

768:IposY9qsaIZz+QK7ruEDHs2guEDHsaOmh82mnUjQxOn1TS6QeQg+mispepU:ICsYOBm9mnUk01SeQg+miU

Score

10^/10

evasion execution persistence ransomware

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4544	bcdedit.exe
1392	bcdedit.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Power Settings 1 TTPs 29 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1396	powercfg.exe
2728	powercfg.exe
4916	powercfg.exe
3264	powercfg.exe
4764	powercfg.exe
2956	powercfg.exe
760	powercfg.exe
1236	powercfg.exe
3268	powercfg.exe
3652	powercfg.exe
1040	powercfg.exe
2852	powercfg.exe
2896	powercfg.exe
620	powercfg.exe
2748	powercfg.exe
1772	powercfg.exe
1660	powercfg.exe
2880	powercfg.exe
448	powercfg.exe
3036	powercfg.exe
4924	powercfg.exe
4960	powercfg.exe
5036	powercfg.exe
4480	powercfg.exe
3964	powercfg.exe
3608	powercfg.exe
4688	powercfg.exe
4832	powercfg.exe
1840	powercfg.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
264	sc.exe
2856	sc.exe
772	sc.exe
1524	sc.exe
4664	sc.exe
2432	sc.exe
556	sc.exe
2900	sc.exe
4380	sc.exe
3320	sc.exe

Delays execution with timeout.exe 22 IoCs

evasion

pid	Process
4480	timeout.exe
980	timeout.exe
3932	timeout.exe
492	timeout.exe
2908	timeout.exe
4516	timeout.exe
2728	timeout.exe
2256	timeout.exe
4984	timeout.exe
1420	timeout.exe
1628	timeout.exe
4400	timeout.exe
3016	timeout.exe
3992	timeout.exe
4356	timeout.exe
760	timeout.exe
3264	timeout.exe
4128	timeout.exe
4704	timeout.exe
1908	timeout.exe
2156	timeout.exe
4168	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1208	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4916	powercfg.exe
Token: SeCreatePagefilePrivilege	4916	powercfg.exe
Token: SeShutdownPrivilege	760	powercfg.exe
Token: SeCreatePagefilePrivilege	760	powercfg.exe
Token: SeShutdownPrivilege	448	powercfg.exe
Token: SeCreatePagefilePrivilege	448	powercfg.exe
Token: SeShutdownPrivilege	2896	powercfg.exe
Token: SeCreatePagefilePrivilege	2896	powercfg.exe
Token: SeShutdownPrivilege	1236	powercfg.exe
Token: SeCreatePagefilePrivilege	1236	powercfg.exe
Token: SeShutdownPrivilege	3268	powercfg.exe
Token: SeCreatePagefilePrivilege	3268	powercfg.exe
Token: SeShutdownPrivilege	3036	powercfg.exe
Token: SeCreatePagefilePrivilege	3036	powercfg.exe
Token: SeShutdownPrivilege	620	powercfg.exe
Token: SeCreatePagefilePrivilege	620	powercfg.exe
Token: SeShutdownPrivilege	2748	powercfg.exe
Token: SeCreatePagefilePrivilege	2748	powercfg.exe
Token: SeShutdownPrivilege	3652	powercfg.exe
Token: SeCreatePagefilePrivilege	3652	powercfg.exe
Token: SeShutdownPrivilege	3264	powercfg.exe
Token: SeCreatePagefilePrivilege	3264	powercfg.exe
Token: SeShutdownPrivilege	1772	powercfg.exe
Token: SeCreatePagefilePrivilege	1772	powercfg.exe
Token: SeShutdownPrivilege	4764	powercfg.exe
Token: SeCreatePagefilePrivilege	4764	powercfg.exe
Token: SeShutdownPrivilege	4924	powercfg.exe
Token: SeCreatePagefilePrivilege	4924	powercfg.exe
Token: SeShutdownPrivilege	4832	powercfg.exe
Token: SeCreatePagefilePrivilege	4832	powercfg.exe
Token: SeShutdownPrivilege	4960	powercfg.exe
Token: SeCreatePagefilePrivilege	4960	powercfg.exe
Token: SeShutdownPrivilege	1396	powercfg.exe
Token: SeCreatePagefilePrivilege	1396	powercfg.exe
Token: SeShutdownPrivilege	1660	powercfg.exe
Token: SeCreatePagefilePrivilege	1660	powercfg.exe
Token: SeShutdownPrivilege	5036	powercfg.exe
Token: SeCreatePagefilePrivilege	5036	powercfg.exe
Token: SeShutdownPrivilege	2956	powercfg.exe
Token: SeCreatePagefilePrivilege	2956	powercfg.exe
Token: SeShutdownPrivilege	1040	powercfg.exe
Token: SeCreatePagefilePrivilege	1040	powercfg.exe
Token: SeShutdownPrivilege	2728	powercfg.exe
Token: SeCreatePagefilePrivilege	2728	powercfg.exe
Token: SeShutdownPrivilege	4480	powercfg.exe
Token: SeCreatePagefilePrivilege	4480	powercfg.exe
Token: SeShutdownPrivilege	3964	powercfg.exe
Token: SeCreatePagefilePrivilege	3964	powercfg.exe
Token: SeShutdownPrivilege	3608	powercfg.exe
Token: SeCreatePagefilePrivilege	3608	powercfg.exe
Token: SeShutdownPrivilege	2852	powercfg.exe
Token: SeCreatePagefilePrivilege	2852	powercfg.exe
Token: SeShutdownPrivilege	4688	powercfg.exe
Token: SeCreatePagefilePrivilege	4688	powercfg.exe
Token: SeShutdownPrivilege	1840	powercfg.exe
Token: SeCreatePagefilePrivilege	1840	powercfg.exe
Token: SeShutdownPrivilege	2880	powercfg.exe
Token: SeCreatePagefilePrivilege	2880	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1140	4724	cmd.exe	85
PID 4724 wrote to memory of 1140	4724	cmd.exe	85
PID 4724 wrote to memory of 4296	4724	cmd.exe	86
PID 4724 wrote to memory of 4296	4724	cmd.exe	86
PID 4724 wrote to memory of 3280	4724	cmd.exe	91
PID 4724 wrote to memory of 3280	4724	cmd.exe	91
PID 4724 wrote to memory of 4048	4724	cmd.exe	92
PID 4724 wrote to memory of 4048	4724	cmd.exe	92
PID 4724 wrote to memory of 4168	4724	cmd.exe	93
PID 4724 wrote to memory of 4168	4724	cmd.exe	93
PID 4724 wrote to memory of 2096	4724	cmd.exe	94
PID 4724 wrote to memory of 2096	4724	cmd.exe	94
PID 4724 wrote to memory of 2000	4724	cmd.exe	95
PID 4724 wrote to memory of 2000	4724	cmd.exe	95
PID 4724 wrote to memory of 3076	4724	cmd.exe	96
PID 4724 wrote to memory of 3076	4724	cmd.exe	96
PID 4724 wrote to memory of 1208	4724	cmd.exe	97
PID 4724 wrote to memory of 1208	4724	cmd.exe	97
PID 4724 wrote to memory of 4916	4724	cmd.exe	98
PID 4724 wrote to memory of 4916	4724	cmd.exe	98
PID 4724 wrote to memory of 760	4724	cmd.exe	99
PID 4724 wrote to memory of 760	4724	cmd.exe	99
PID 4724 wrote to memory of 4544	4724	cmd.exe	100
PID 4724 wrote to memory of 4544	4724	cmd.exe	100
PID 4724 wrote to memory of 1392	4724	cmd.exe	101
PID 4724 wrote to memory of 1392	4724	cmd.exe	101
PID 4724 wrote to memory of 3912	4724	cmd.exe	102
PID 4724 wrote to memory of 3912	4724	cmd.exe	102
PID 4724 wrote to memory of 1716	4724	cmd.exe	103
PID 4724 wrote to memory of 1716	4724	cmd.exe	103
PID 4724 wrote to memory of 4884	4724	cmd.exe	104
PID 4724 wrote to memory of 4884	4724	cmd.exe	104
PID 4724 wrote to memory of 448	4724	cmd.exe	105
PID 4724 wrote to memory of 448	4724	cmd.exe	105
PID 4724 wrote to memory of 2896	4724	cmd.exe	106
PID 4724 wrote to memory of 2896	4724	cmd.exe	106
PID 4724 wrote to memory of 1236	4724	cmd.exe	107
PID 4724 wrote to memory of 1236	4724	cmd.exe	107
PID 4724 wrote to memory of 3268	4724	cmd.exe	108
PID 4724 wrote to memory of 3268	4724	cmd.exe	108
PID 4724 wrote to memory of 3036	4724	cmd.exe	109
PID 4724 wrote to memory of 3036	4724	cmd.exe	109
PID 4724 wrote to memory of 620	4724	cmd.exe	110
PID 4724 wrote to memory of 620	4724	cmd.exe	110
PID 4724 wrote to memory of 2748	4724	cmd.exe	111
PID 4724 wrote to memory of 2748	4724	cmd.exe	111
PID 4724 wrote to memory of 3652	4724	cmd.exe	112
PID 4724 wrote to memory of 3652	4724	cmd.exe	112
PID 4724 wrote to memory of 4128	4724	cmd.exe	113
PID 4724 wrote to memory of 4128	4724	cmd.exe	113
PID 4724 wrote to memory of 3264	4724	cmd.exe	114
PID 4724 wrote to memory of 3264	4724	cmd.exe	114
PID 4724 wrote to memory of 1772	4724	cmd.exe	115
PID 4724 wrote to memory of 1772	4724	cmd.exe	115
PID 4724 wrote to memory of 4764	4724	cmd.exe	116
PID 4724 wrote to memory of 4764	4724	cmd.exe	116
PID 4724 wrote to memory of 1892	4724	cmd.exe	117
PID 4724 wrote to memory of 1892	4724	cmd.exe	117
PID 4724 wrote to memory of 4924	4724	cmd.exe	118
PID 4724 wrote to memory of 4924	4724	cmd.exe	118
PID 4724 wrote to memory of 4832	4724	cmd.exe	119
PID 4724 wrote to memory of 4832	4724	cmd.exe	119
PID 4724 wrote to memory of 4960	4724	cmd.exe	120
PID 4724 wrote to memory of 4960	4724	cmd.exe	120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:4296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
  2⤵
  PID:3280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
  2⤵
  PID:4048
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
  2⤵
  PID:2096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
  2⤵
  PID:3076
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v CoreParkingDisabled /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1208
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor CPMINCORES 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\system32\powercfg.exe
  powercfg /setactive SCHEME_CURRENT
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\system32\bcdedit.exe
  bcdedit /set allowedinmemorysettings 0x0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4544
- C:\Windows\system32\bcdedit.exe
  bcdedit /set isolatedcontext No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1392
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
  2⤵
  PID:3912
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4884
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\system32\powercfg.exe
  powercfg /setactive SCHEME_CURRENT
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\system32\powercfg.exe
  powercfg /setactive SCHEME_CURRENT
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\system32\powercfg.exe
  powercfg /setactive SCHEME_CURRENT
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\system32\powercfg.exe
  powercfg /setactive SCHEME_CURRENT
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4128
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor IDLESCALING 1
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\Windows\system32\powercfg.exe
  powercfg /setactive SCHEME_CURRENT
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor THROTTLING 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
  2⤵
  PID:1892
- C:\Windows\system32\powercfg.exe
  powercfg /setACvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 1
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\system32\powercfg.exe
  powercfg /setDCvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 1
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- C:\Windows\system32\powercfg.exe
  powercfg /setactive SCHEME_CURRENT
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMAX 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\system32\powercfg.exe
  powercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMAX 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\system32\powercfg.exe
  powercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\system32\powercfg.exe
  powercfg -setactive scheme_current
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor CPMAXCORES 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\system32\powercfg.exe
  powercfg -setdcvalueindex scheme_current sub_processor CPMAXCORES 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor CPMINCORES 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\system32\powercfg.exe
  powercfg -setdcvalueindex scheme_current sub_processor CPMINCORES 100
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\system32\powercfg.exe
  powercfg -setactive scheme_current
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7" /v "Attributes" /t REG_DWORD /d 2 /f
  2⤵
  PID:4536
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\system32\powercfg.exe
  powercfg -setdcvalueindex scheme_current sub_processor PERFBOOSTMODE 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\system32\powercfg.exe
  powercfg -setactive scheme_current
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f
  2⤵
  PID:3176
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f
  2⤵
  PID:2292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f
  2⤵
  PID:4304
- C:\Windows\system32\sc.exe
  sc config "DiagTrack" start= disabled
  2⤵
  - Launches sc.exe
  PID:264
- C:\Windows\system32\sc.exe
  sc config "SysMain" start= disabled
  2⤵
  - Launches sc.exe
  PID:2856
- C:\Windows\system32\sc.exe
  sc config "WSearch" start= disabled
  2⤵
  - Launches sc.exe
  PID:772
- C:\Windows\system32\sc.exe
  sc config "Fax" start= disabled
  2⤵
  - Launches sc.exe
  PID:2432
- C:\Windows\system32\sc.exe
  sc config "TabletInputService" start= disabled
  2⤵
  - Launches sc.exe
  PID:556
- C:\Windows\system32\sc.exe
  sc stop "DiagTrack"
  2⤵
  - Launches sc.exe
  PID:4380
- C:\Windows\system32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:2900
- C:\Windows\system32\sc.exe
  sc stop "WSearch"
  2⤵
  - Launches sc.exe
  PID:1524
- C:\Windows\system32\sc.exe
  sc stop "Fax"
  2⤵
  - Launches sc.exe
  PID:3320
- C:\Windows\system32\sc.exe
  sc stop "TabletInputService"
  2⤵
  - Launches sc.exe
  PID:4664
- C:\Windows\system32\fsutil.exe
  fsutil behavior set DisableDeleteNotify 0
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d 1 /f
  2⤵
  PID:4800
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMemoryUsage" /t REG_DWORD /d 2 /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d 1 /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f
  2⤵
  PID:3716
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d 512 /f
  2⤵
  PID:1516
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_videocontroller get PNPDeviceID | findstr /L "VEN_"
  2⤵
  PID:5116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_videocontroller get PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\system32\findstr.exe
    findstr /L "VEN_"
    3⤵
    PID:4016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:3680
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "3D_Refresh_Rate_Override_DEF" /t REG_DWORD /d "0" /f
  2⤵
  PID:4860
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AllowSnapshot" /t REG_DWORD /d "0" /f
  2⤵
  PID:4324
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AAF_NA" /t REG_DWORD /d "0" /f
  2⤵
  PID:1140
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AntiAlias_NA" /t REG_SZ /d "0" /f
  2⤵
  PID:3484
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "ASTT_NA" /t REG_SZ /d "0" /f
  2⤵
  PID:1260
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AllowSubscription" /t REG_DWORD /d "0" /f
  2⤵
  PID:4104
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AreaAniso_NA" /t REG_SZ /d "0" /f
  2⤵
  PID:2844
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1628
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AllowRSOverlay" /t REG_SZ /d "false" /f
  2⤵
  PID:3816
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4168
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "Adaptive De-interlacing" /t REG_DWORD /d "1" /f
  2⤵
  PID:2096
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4356
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AllowSkins" /t REG_SZ /d "false" /f
  2⤵
  PID:4916
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:760
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AutoColorDepthReduction_NA" /t REG_DWORD /d "0" /f
  2⤵
  PID:1596
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisableSAMUPowerGating" /t REG_DWORD /d "1" /f
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisableUVDPowerGatingDynamic" /t REG_DWORD /d "1" /f
  2⤵
  PID:4772
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisableVCEPowerGating" /t REG_DWORD /d "1" /f
  2⤵
  PID:1004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisablePowerGating" /t REG_DWORD /d "1" /f
  2⤵
  PID:4564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisableDrmdmaPowerGating" /t REG_DWORD /d "1" /f
  2⤵
  PID:3340
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableVceSwClockGating" /t REG_DWORD /d "1" /f
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableUvdClockGating" /t REG_DWORD /d "1" /f
  2⤵
  PID:4128
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableAspmL0s" /t REG_DWORD /d "0" /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableAspmL1" /t REG_DWORD /d "0" /f
  2⤵
  PID:2520
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableUlps" /t REG_DWORD /d "0" /f
  2⤵
  PID:820
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableUlps_NA" /t REG_SZ /d "0" /f
  2⤵
  PID:3596
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3932
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "KMD_DeLagEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4988
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4516
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "FrameRateTargetControl_NA" /t REG_DWORD /d "0" /f
  2⤵
  PID:1776
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "PP_GpuPowerdownEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1060
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2728
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Atierecord" /v "Enablelog" /t REG_DWORD /d "0" /f
  2⤵
  PID:2192
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\amdkmdag" /v "KMD_ShaderCacheLimit" /t REG_DWORD /d "2147483648" /f
  2⤵
  PID:1444
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\amdkmdag" /v "FlipQueueSize" /t REG_DWORD /d "1" /f
  2⤵
  PID:4844
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:1948