fb97d6ec1b1de59c4f02b55c8f95e756a13f9119f4bd08e77e832890ae529317

Analysis

max time kernel
102s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 01:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Koa_Paid_Tweak_Tool.bat
Size

87KB
MD5

2523b7ade7ef2ab0364cf7af2480780b
SHA1

f0a796bbe87cbedb2422f1a30ed679910b16eec8
SHA256

fb97d6ec1b1de59c4f02b55c8f95e756a13f9119f4bd08e77e832890ae529317
SHA512

3cef3cd7f42f3950ae5d683762747cbc8fbbeba37d8e761e2dffb6ac2469db992023407ed8dd62f2f4bcdc3be91c3de03b8af834a93e423651f1c3548cd9fe3a
SSDEEP

384:0jW4urpgB0TBp1uFuyIBmGlngbuPPqoeV9WIblw8WGDyLNZfKGDyLNZfU9a1QL:n80TBWQyEjPqoC9yiU0QL

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RobloxPlayerBeta.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RobloxPlayerBeta.exe\PerfOptions\CpuPriorityClass = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RobloxPlayerBeta.exe\PerfOptions	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
4932	powershell.exe
4532	powershell.exe
3808	powershell.exe

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5004	reg.exe
4084	reg.exe
548	reg.exe
1108	reg.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bf081c85bb6cd1e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bf081c850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bf081c85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbf081c85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bf081c8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	powershell.exe
1688	powershell.exe
3808	powershell.exe
3808	powershell.exe
4932	powershell.exe
4932	powershell.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
4532	powershell.exe
4532	powershell.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeBackupPrivilege	1412	vssvc.exe
Token: SeRestorePrivilege	1412	vssvc.exe
Token: SeAuditPrivilege	1412	vssvc.exe
Token: SeBackupPrivilege	4980	srtasks.exe
Token: SeRestorePrivilege	4980	srtasks.exe
Token: SeSecurityPrivilege	4980	srtasks.exe
Token: SeTakeOwnershipPrivilege	4980	srtasks.exe
Token: SeBackupPrivilege	4980	srtasks.exe
Token: SeRestorePrivilege	4980	srtasks.exe
Token: SeSecurityPrivilege	4980	srtasks.exe
Token: SeTakeOwnershipPrivilege	4980	srtasks.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	1572	taskmgr.exe
Token: SeSystemProfilePrivilege	1572	taskmgr.exe
Token: SeCreateGlobalPrivilege	1572	taskmgr.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: 33	1572	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1572	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe
1572	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 1680	3168	cmd.exe	83
PID 3168 wrote to memory of 1680	3168	cmd.exe	83
PID 3168 wrote to memory of 2276	3168	cmd.exe	84
PID 3168 wrote to memory of 2276	3168	cmd.exe	84
PID 3168 wrote to memory of 3692	3168	cmd.exe	85
PID 3168 wrote to memory of 3692	3168	cmd.exe	85
PID 3168 wrote to memory of 436	3168	cmd.exe	86
PID 3168 wrote to memory of 436	3168	cmd.exe	86
PID 3168 wrote to memory of 3412	3168	cmd.exe	87
PID 3168 wrote to memory of 3412	3168	cmd.exe	87
PID 3168 wrote to memory of 1688	3168	cmd.exe	88
PID 3168 wrote to memory of 1688	3168	cmd.exe	88
PID 3168 wrote to memory of 3808	3168	cmd.exe	91
PID 3168 wrote to memory of 3808	3168	cmd.exe	91
PID 3168 wrote to memory of 2884	3168	cmd.exe	101
PID 3168 wrote to memory of 2884	3168	cmd.exe	101
PID 3168 wrote to memory of 4128	3168	cmd.exe	103
PID 3168 wrote to memory of 4128	3168	cmd.exe	103
PID 3168 wrote to memory of 4416	3168	cmd.exe	105
PID 3168 wrote to memory of 4416	3168	cmd.exe	105
PID 3168 wrote to memory of 1192	3168	cmd.exe	106
PID 3168 wrote to memory of 1192	3168	cmd.exe	106
PID 3168 wrote to memory of 4932	3168	cmd.exe	107
PID 3168 wrote to memory of 4932	3168	cmd.exe	107
PID 3168 wrote to memory of 1056	3168	cmd.exe	109
PID 3168 wrote to memory of 1056	3168	cmd.exe	109
PID 3168 wrote to memory of 3504	3168	cmd.exe	112
PID 3168 wrote to memory of 3504	3168	cmd.exe	112
PID 3168 wrote to memory of 4048	3168	cmd.exe	113
PID 3168 wrote to memory of 4048	3168	cmd.exe	113
PID 3168 wrote to memory of 5084	3168	cmd.exe	114
PID 3168 wrote to memory of 5084	3168	cmd.exe	114
PID 3168 wrote to memory of 4532	3168	cmd.exe	115
PID 3168 wrote to memory of 4532	3168	cmd.exe	115
PID 3168 wrote to memory of 4512	3168	cmd.exe	116
PID 3168 wrote to memory of 4512	3168	cmd.exe	116
PID 3168 wrote to memory of 1360	3168	cmd.exe	117
PID 3168 wrote to memory of 1360	3168	cmd.exe	117
PID 3168 wrote to memory of 2076	3168	cmd.exe	118
PID 3168 wrote to memory of 2076	3168	cmd.exe	118
PID 3168 wrote to memory of 4200	3168	cmd.exe	119
PID 3168 wrote to memory of 4200	3168	cmd.exe	119
PID 3168 wrote to memory of 2880	3168	cmd.exe	120
PID 3168 wrote to memory of 2880	3168	cmd.exe	120
PID 3168 wrote to memory of 2484	3168	cmd.exe	121
PID 3168 wrote to memory of 2484	3168	cmd.exe	121
PID 3168 wrote to memory of 3400	3168	cmd.exe	122
PID 3168 wrote to memory of 3400	3168	cmd.exe	122
PID 3168 wrote to memory of 5056	3168	cmd.exe	123
PID 3168 wrote to memory of 5056	3168	cmd.exe	123
PID 3168 wrote to memory of 3520	3168	cmd.exe	124
PID 3168 wrote to memory of 3520	3168	cmd.exe	124
PID 3168 wrote to memory of 3188	3168	cmd.exe	125
PID 3168 wrote to memory of 3188	3168	cmd.exe	125
PID 3168 wrote to memory of 3068	3168	cmd.exe	126
PID 3168 wrote to memory of 3068	3168	cmd.exe	126
PID 3168 wrote to memory of 2916	3168	cmd.exe	127
PID 3168 wrote to memory of 2916	3168	cmd.exe	127
PID 3168 wrote to memory of 3120	3168	cmd.exe	128
PID 3168 wrote to memory of 3120	3168	cmd.exe	128
PID 3168 wrote to memory of 1756	3168	cmd.exe	129
PID 3168 wrote to memory of 1756	3168	cmd.exe	129
PID 3168 wrote to memory of 944	3168	cmd.exe	130
PID 3168 wrote to memory of 944	3168	cmd.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Koa_Paid_Tweak_Tool.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\system32\reg.exe
  Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
  2⤵
  - UAC bypass
  PID:1680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:3692
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'KoaPaid' -RestorePointType 'MODIFY_SETTINGS'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:4128
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4416
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Risxn\Autoruns\autoruns.exe" "https://cdn.discordapp.com/attachments/1171238460451991617/1171238528793972766/autoruns.exe?ex=655bf3e1&is=65497ee1&hm=38d8e16aa9b8015960949f70a42b22f396ec4cea47e816011a43d0eff8868ee9&"
  2⤵
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('After you press ok it will open an app, Go to the LOGON section, disable all services except: antivirus, cmd.exe, and the n/a services', 'KoaPaid', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:3504
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4048
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Risxn\Autoruns\autoruns.exe" "https://cdn.discordapp.com/attachments/1171238460451991617/1171238528793972766/autoruns.exe?ex=655bf3e1&is=65497ee1&hm=38d8e16aa9b8015960949f70a42b22f396ec4cea47e816011a43d0eff8868ee9&"
  2⤵
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('After you press ok it will open an app, Go to the LOGON section, disable all services except: antivirus, cmd.exe, and the n/a services', 'KoaPaid', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:1360
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "PerfAnalyzeMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:4200
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidGfxPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:2484
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableCEPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "DisableCudaContextPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:3520
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "PerfAnalyzeMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:3068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidGfxPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:2916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:3120
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableCEPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "DisableCudaContextPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:2280
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "PerfAnalyzeMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidGfxPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:4536
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnableCEPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:4340
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "DisableCudaContextPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RobloxPlayerBeta.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "3" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:5076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:4908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:4868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
  2⤵
  PID:4668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:4212
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
  2⤵
  PID:4232
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:1308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:4964
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:5012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:3248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
  2⤵
  PID:808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
  2⤵
  PID:3432
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:4256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
  2⤵
  PID:5052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:4280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
  2⤵
  PID:2156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
  2⤵
  PID:448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
  2⤵
  PID:5040
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:3252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
  2⤵
  PID:3732
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
  2⤵
  - Power Settings
  PID:4084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
  2⤵
  - Power Settings
  PID:548
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
  2⤵
  PID:2260
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:4328
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:1424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:2012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
  2⤵
  PID:4228
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f
  2⤵
  PID:5004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f
  2⤵
  PID:3352
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubDelay" /t REG_DWORD /d "0" /f
  2⤵
  PID:1676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "18" /f
  2⤵
  PID:2448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubThreshold" /t REG_DWORD /d "0" /f
  2⤵
  PID:2776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubType" /t REG_DWORD /d "2" /f
  2⤵
  PID:3116
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValue" /t REG_DWORD /d "100" /f
  2⤵
  PID:976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMaximum" /t REG_DWORD /d "100" /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMinimum" /t REG_DWORD /d "100" /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueStep" /t REG_DWORD /d "0" /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefault" /t REG_DWORD /d "0" /f
  2⤵
  PID:3188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCurrent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuePrevious" /t REG_DWORD /d "0" /f
  2⤵
  PID:4788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNext" /t REG_DWORD /d "0" /f
  2⤵
  PID:1632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueLast" /t REG_DWORD /d "0" /f
  2⤵
  PID:1524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueFirst" /t REG_DWORD /d "0" /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:5016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueIndex" /t REG_DWORD /d "42" /f
  2⤵
  PID:3904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueName" /t REG_DWORD /d "0" /f
  2⤵
  PID:3136
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDescription" /t REG_DWORD /d "0" /f
  2⤵
  PID:4404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueVisible" /t REG_DWORD /d "1" /f
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueHidden" /t REG_DWORD /d "0" /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadWrite" /t REG_DWORD /d "0" /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueWriteOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:2596
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueExecute" /t REG_DWORD /d "0" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNoExecute" /t REG_DWORD /d "0" /f
  2⤵
  PID:1888
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueSystem" /t REG_DWORD /d "0" /f
  2⤵
  PID:392
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueUser" /t REG_DWORD /d "0" /f
  2⤵
  PID:5032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "100" /f
  2⤵
  PID:3788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f
  2⤵
  PID:5076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f
  2⤵
  PID:4908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "0" /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCustom" /t REG_DWORD /d "0" /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAuto" /t REG_DWORD /d "1" /f
  2⤵
  PID:4868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueManual" /t REG_DWORD /d "0" /f
  2⤵
  PID:4668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAutomatic" /t REG_DWORD /d "1" /f
  2⤵
  PID:4212
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabledByDefault" /t REG_DWORD /d "1" /f
  2⤵
  PID:4232
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabledByDefault" /t REG_DWORD /d "0" /f
  2⤵
  PID:1308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:3688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f
  2⤵
  PID:4964
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
  2⤵
  PID:5012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:3248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:3432
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
  2⤵
  PID:4256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:5052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:4280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:2156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:5040
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:3252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
  2⤵
  PID:3732
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:548
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
  2⤵
  PID:2260
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
  2⤵
  PID:4328
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
  2⤵
  PID:4644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
  2⤵
  PID:1096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
  2⤵
  PID:2012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
  2⤵
  PID:4228
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
  2⤵
  PID:4156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
  2⤵
  - Power Settings
  PID:1108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
  2⤵
  - Power Settings
  PID:5004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
  2⤵
  PID:3352
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:2388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:1676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
  2⤵
  PID:2448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:2776
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
  2⤵
  PID:3116
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
  2⤵
  PID:976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f
  2⤵
  PID:3188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f
  2⤵
  PID:2916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
  2⤵
  PID:3120
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f
  2⤵
  PID:1228
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubDelay" /t REG_DWORD /d "0" /f
  2⤵
  PID:2412
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:1824
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "18" /f
  2⤵
  PID:3800
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubThreshold" /t REG_DWORD /d "0" /f
  2⤵
  PID:4816
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubType" /t REG_DWORD /d "2" /f
  2⤵
  PID:1608
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValue" /t REG_DWORD /d "100" /f
  2⤵
  PID:4484
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMaximum" /t REG_DWORD /d "100" /f
  2⤵
  PID:1248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMinimum" /t REG_DWORD /d "100" /f
  2⤵
  PID:2272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueStep" /t REG_DWORD /d "0" /f
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefault" /t REG_DWORD /d "0" /f
  2⤵
  PID:3996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCurrent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuePrevious" /t REG_DWORD /d "0" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNext" /t REG_DWORD /d "0" /f
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueLast" /t REG_DWORD /d "0" /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueFirst" /t REG_DWORD /d "0" /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCount" /t REG_DWORD /d "100" /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueIndex" /t REG_DWORD /d "42" /f
  2⤵
  PID:4504
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueName" /t REG_DWORD /d "0" /f
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDescription" /t REG_DWORD /d "0" /f
  2⤵
  PID:4320
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1628
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueVisible" /t REG_DWORD /d "1" /f
  2⤵
  PID:1192
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueHidden" /t REG_DWORD /d "0" /f
  2⤵
  PID:2420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:4100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadWrite" /t REG_DWORD /d "0" /f
  2⤵
  PID:4316
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueWriteOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:4804
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueExecute" /t REG_DWORD /d "0" /f
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNoExecute" /t REG_DWORD /d "0" /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueSystem" /t REG_DWORD /d "0" /f
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueUser" /t REG_DWORD /d "0" /f
  2⤵
  PID:2408
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "100" /f
  2⤵
  PID:4236
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f
  2⤵
  PID:4424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f
  2⤵
  PID:3948
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "0" /f
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCustom" /t REG_DWORD /d "0" /f
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAuto" /t REG_DWORD /d "1" /f
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueManual" /t REG_DWORD /d "0" /f
  2⤵
  PID:2268
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAutomatic" /t REG_DWORD /d "1" /f
  2⤵
  PID:388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabledByDefault" /t REG_DWORD /d "1" /f
  2⤵
  PID:3536
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabledByDefault" /t REG_DWORD /d "0" /f
  2⤵
  PID:3744
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:5112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f
  2⤵
  PID:1340
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f
  2⤵
  PID:2136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Risxn\Autoruns\autoruns.exe

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
224dcf4c17389871fa59fe45c7acd94a

SHA1
d02998277a18745bc5a5209d80a4d5c5077772ff

SHA256
c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e

SHA512
8e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hfps4y4u.mzf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1572-51-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-53-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-47-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-48-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-41-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-43-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-42-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-49-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-52-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1572-50-0x000001EB8B530000-0x000001EB8B531000-memory.dmp

Filesize
4KB

Download
memory/1688-0-0x00007FF8871F3000-0x00007FF8871F5000-memory.dmp

Filesize
8KB

Download
memory/1688-15-0x00007FF8871F0000-0x00007FF887CB1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-11-0x00007FF8871F0000-0x00007FF887CB1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-12-0x00007FF8871F0000-0x00007FF887CB1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-6-0x00000235D5410000-0x00000235D5432000-memory.dmp

Filesize
136KB

Download