Analysis
-
max time kernel
72s -
max time network
111s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/05/2024, 23:26
Behavioral task
behavioral1
Sample
Astro_Tweaks_1.0.exe
Resource
win11-20240426-en
General
-
Target
Astro_Tweaks_1.0.exe
-
Size
10.9MB
-
MD5
8003926e3eeb76275598626e9fc0a178
-
SHA1
c2e28f4476c91a150412f36663e39c0479db1a9a
-
SHA256
fcc12dd4b4dcc03d25522f9b9bf379cb3e43b14f349ddbeb91f929b757586993
-
SHA512
1624d72c66fc3b38409806233ea6730b6ed177e03ab053db4bb3f6f5e5bb7f71226ca23d2fae0fd839bd456773ae48d8a9c61abe710872bc93eff2efbfc8c7d0
-
SSDEEP
196608:4hEjHLqBA1HeT39IigQdeE9TFa0Z8DOjCdylhY8gh70W8/LeoCUoBnz+Qddyx9K:feq1+TtIiLUY9Z8D8CclyhCW8S3hSjxI
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 16 IoCs
pid Process 5172 bcdedit.exe 5196 bcdedit.exe 5184 bcdedit.exe 5376 bcdedit.exe 5312 bcdedit.exe 5536 bcdedit.exe 5560 bcdedit.exe 5552 bcdedit.exe 5656 bcdedit.exe 5620 bcdedit.exe 5612 bcdedit.exe 5604 bcdedit.exe 5596 bcdedit.exe 5776 bcdedit.exe 2440 bcdedit.exe 5364 bcdedit.exe -
Loads dropped DLL 18 IoCs
pid Process 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe 4840 Astro_Tweaks_1.0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 1 drive.google.com 9 raw.githubusercontent.com 14 drive.google.com 1 raw.githubusercontent.com -
pid Process 2516 powershell.exe 4296 powershell.exe 4680 powershell.exe 4896 powershell.exe 4684 powershell.exe 4056 powershell.exe 5484 powershell.exe 1580 powershell.exe 1308 powershell.exe 5572 powershell.exe 2580 powershell.exe 3100 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001b4a55745f2b98f90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001b4a55740000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001b4a5574000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1b4a5574000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001b4a557400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 5544 timeout.exe 5628 timeout.exe 5588 timeout.exe 4832 timeout.exe 5260 timeout.exe 5408 timeout.exe 5384 timeout.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1308 powershell.exe 1308 powershell.exe 5572 powershell.exe 5572 powershell.exe 5572 powershell.exe 2516 powershell.exe 2516 powershell.exe 2516 powershell.exe 4680 powershell.exe 4680 powershell.exe 4896 powershell.exe 4896 powershell.exe 4684 powershell.exe 4684 powershell.exe 4056 powershell.exe 4056 powershell.exe 5484 powershell.exe 5484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 1308 powershell.exe Token: SeBackupPrivilege 1872 vssvc.exe Token: SeRestorePrivilege 1872 vssvc.exe Token: SeAuditPrivilege 1872 vssvc.exe Token: SeDebugPrivilege 5572 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeBackupPrivilege 4852 srtasks.exe Token: SeRestorePrivilege 4852 srtasks.exe Token: SeSecurityPrivilege 4852 srtasks.exe Token: SeTakeOwnershipPrivilege 4852 srtasks.exe Token: SeBackupPrivilege 4852 srtasks.exe Token: SeRestorePrivilege 4852 srtasks.exe Token: SeSecurityPrivilege 4852 srtasks.exe Token: SeTakeOwnershipPrivilege 4852 srtasks.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 5484 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4840 Astro_Tweaks_1.0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 4840 3916 Astro_Tweaks_1.0.exe 81 PID 3916 wrote to memory of 4840 3916 Astro_Tweaks_1.0.exe 81 PID 4840 wrote to memory of 4272 4840 Astro_Tweaks_1.0.exe 82 PID 4840 wrote to memory of 4272 4840 Astro_Tweaks_1.0.exe 82 PID 4840 wrote to memory of 1308 4840 Astro_Tweaks_1.0.exe 84 PID 4840 wrote to memory of 1308 4840 Astro_Tweaks_1.0.exe 84 PID 4840 wrote to memory of 3324 4840 Astro_Tweaks_1.0.exe 93 PID 4840 wrote to memory of 3324 4840 Astro_Tweaks_1.0.exe 93 PID 4840 wrote to memory of 4216 4840 Astro_Tweaks_1.0.exe 94 PID 4840 wrote to memory of 4216 4840 Astro_Tweaks_1.0.exe 94 PID 4840 wrote to memory of 1272 4840 Astro_Tweaks_1.0.exe 95 PID 4840 wrote to memory of 1272 4840 Astro_Tweaks_1.0.exe 95 PID 4840 wrote to memory of 1468 4840 Astro_Tweaks_1.0.exe 97 PID 4840 wrote to memory of 1468 4840 Astro_Tweaks_1.0.exe 97 PID 4840 wrote to memory of 1628 4840 Astro_Tweaks_1.0.exe 98 PID 4840 wrote to memory of 1628 4840 Astro_Tweaks_1.0.exe 98 PID 4840 wrote to memory of 4652 4840 Astro_Tweaks_1.0.exe 99 PID 4840 wrote to memory of 4652 4840 Astro_Tweaks_1.0.exe 99 PID 4840 wrote to memory of 3136 4840 Astro_Tweaks_1.0.exe 100 PID 4840 wrote to memory of 3136 4840 Astro_Tweaks_1.0.exe 100 PID 4840 wrote to memory of 1704 4840 Astro_Tweaks_1.0.exe 102 PID 4840 wrote to memory of 1704 4840 Astro_Tweaks_1.0.exe 102 PID 4840 wrote to memory of 3476 4840 Astro_Tweaks_1.0.exe 103 PID 4840 wrote to memory of 3476 4840 Astro_Tweaks_1.0.exe 103 PID 4840 wrote to memory of 8 4840 Astro_Tweaks_1.0.exe 104 PID 4840 wrote to memory of 8 4840 Astro_Tweaks_1.0.exe 104 PID 4840 wrote to memory of 368 4840 Astro_Tweaks_1.0.exe 106 PID 4840 wrote to memory of 368 4840 Astro_Tweaks_1.0.exe 106 PID 4840 wrote to memory of 4576 4840 Astro_Tweaks_1.0.exe 107 PID 4840 wrote to memory of 4576 4840 Astro_Tweaks_1.0.exe 107 PID 4840 wrote to memory of 3308 4840 Astro_Tweaks_1.0.exe 108 PID 4840 wrote to memory of 3308 4840 Astro_Tweaks_1.0.exe 108 PID 4840 wrote to memory of 4328 4840 Astro_Tweaks_1.0.exe 110 PID 4840 wrote to memory of 4328 4840 Astro_Tweaks_1.0.exe 110 PID 4840 wrote to memory of 3828 4840 Astro_Tweaks_1.0.exe 111 PID 4840 wrote to memory of 3828 4840 Astro_Tweaks_1.0.exe 111 PID 4840 wrote to memory of 2080 4840 Astro_Tweaks_1.0.exe 112 PID 4840 wrote to memory of 2080 4840 Astro_Tweaks_1.0.exe 112 PID 4840 wrote to memory of 1520 4840 Astro_Tweaks_1.0.exe 113 PID 4840 wrote to memory of 1520 4840 Astro_Tweaks_1.0.exe 113 PID 4840 wrote to memory of 3520 4840 Astro_Tweaks_1.0.exe 114 PID 4840 wrote to memory of 3520 4840 Astro_Tweaks_1.0.exe 114 PID 4840 wrote to memory of 2516 4840 Astro_Tweaks_1.0.exe 115 PID 4840 wrote to memory of 2516 4840 Astro_Tweaks_1.0.exe 115 PID 4840 wrote to memory of 3592 4840 Astro_Tweaks_1.0.exe 116 PID 4840 wrote to memory of 3592 4840 Astro_Tweaks_1.0.exe 116 PID 4840 wrote to memory of 3964 4840 Astro_Tweaks_1.0.exe 117 PID 4840 wrote to memory of 3964 4840 Astro_Tweaks_1.0.exe 117 PID 4840 wrote to memory of 248 4840 Astro_Tweaks_1.0.exe 118 PID 4840 wrote to memory of 248 4840 Astro_Tweaks_1.0.exe 118 PID 4840 wrote to memory of 1124 4840 Astro_Tweaks_1.0.exe 119 PID 4840 wrote to memory of 1124 4840 Astro_Tweaks_1.0.exe 119 PID 4840 wrote to memory of 1980 4840 Astro_Tweaks_1.0.exe 120 PID 4840 wrote to memory of 1980 4840 Astro_Tweaks_1.0.exe 120 PID 4840 wrote to memory of 2528 4840 Astro_Tweaks_1.0.exe 121 PID 4840 wrote to memory of 2528 4840 Astro_Tweaks_1.0.exe 121 PID 4840 wrote to memory of 2856 4840 Astro_Tweaks_1.0.exe 122 PID 4840 wrote to memory of 2856 4840 Astro_Tweaks_1.0.exe 122 PID 4840 wrote to memory of 2444 4840 Astro_Tweaks_1.0.exe 123 PID 4840 wrote to memory of 2444 4840 Astro_Tweaks_1.0.exe 123 PID 4840 wrote to memory of 864 4840 Astro_Tweaks_1.0.exe 125 PID 4840 wrote to memory of 864 4840 Astro_Tweaks_1.0.exe 125 PID 4840 wrote to memory of 4872 4840 Astro_Tweaks_1.0.exe 126 PID 4840 wrote to memory of 4872 4840 Astro_Tweaks_1.0.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Astro_Tweaks_1.0.exe"C:\Users\Admin\AppData\Local\Temp\Astro_Tweaks_1.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\Astro_Tweaks_1.0.exe"C:\Users\Admin\AppData\Local\Temp\Astro_Tweaks_1.0.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SYSTEM32\curl.execurl -g -k -L -# -o C:\AV1.ico https://cdn.discordapp.com/attachments/1182472890684276766/1241235666080239747/AV1.ico?ex=6649764b&is=664824cb&hm=a662dec9966b3b0991606895a313d7677eda0aaa9a51339f4c4ee52a9a7326df&3⤵PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'AV1' -RestorePointType 'MODIFY_SETTINGS'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f"3⤵PID:3324
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f4⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f"3⤵PID:4216
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f4⤵PID:3892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f"3⤵PID:1272
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f4⤵PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f"3⤵PID:1468
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f4⤵PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f"3⤵PID:1628
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f4⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f"3⤵PID:4652
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f4⤵PID:5428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "timeout /t 1 /nobreak > NUL"3⤵PID:3136
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set tscsyncpolicy legacy"3⤵PID:1704
-
C:\Windows\system32\bcdedit.exebcdedit /set tscsyncpolicy legacy4⤵
- Modifies boot configuration data using bcdedit
PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo tscsyncpolicy legacy"3⤵PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "timeout /t 1 /nobreak > NUL"3⤵PID:8
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set hypervisorlaunchtype off"3⤵PID:368
-
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off4⤵
- Modifies boot configuration data using bcdedit
PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo Disable Hyper-V"3⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "timeout /t 1 /nobreak > NUL"3⤵PID:3308
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set linearaddress57 OptOut"3⤵PID:4328
-
C:\Windows\system32\bcdedit.exebcdedit /set linearaddress57 OptOut4⤵
- Modifies boot configuration data using bcdedit
PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set increaseuserva 268435328"3⤵PID:3828
-
C:\Windows\system32\bcdedit.exebcdedit /set increaseuserva 2684353284⤵
- Modifies boot configuration data using bcdedit
PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo Linear Address 57"3⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "timeout /t 1 /nobreak > NUL"3⤵PID:1520
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set isolatedcontext No"3⤵PID:3520
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No4⤵
- Modifies boot configuration data using bcdedit
PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set allowedinmemorysettings 0x0"3⤵PID:2516
-
C:\Windows\system32\bcdedit.exebcdedit /set allowedinmemorysettings 0x04⤵
- Modifies boot configuration data using bcdedit
PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo Kernel memory mitigations"3⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "timeout /t 1 /nobreak > NUL"3⤵PID:3964
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set vsmlaunchtype Off"3⤵PID:248
-
C:\Windows\system32\bcdedit.exebcdedit /set vsmlaunchtype Off4⤵
- Modifies boot configuration data using bcdedit
PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set vm No"3⤵PID:1124
-
C:\Windows\system32\bcdedit.exebcdedit /set vm No4⤵
- Modifies boot configuration data using bcdedit
PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f"3⤵PID:1980
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f4⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f"3⤵PID:2528
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f4⤵PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f"3⤵PID:2856
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f4⤵PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo DMA memory protection and cores isolation"3⤵PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "timeout /t 1 /nobreak > NUL"3⤵PID:864
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
PID:5628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set x2apicpolicy Enable"3⤵PID:4872
-
C:\Windows\system32\bcdedit.exebcdedit /set x2apicpolicy Enable4⤵
- Modifies boot configuration data using bcdedit
PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set uselegacyapicmode No"3⤵PID:3480
-
C:\Windows\system32\bcdedit.exebcdedit /set uselegacyapicmode No4⤵
- Modifies boot configuration data using bcdedit
PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo Enable X2Apic"3⤵PID:3272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "timeout /t 1 /nobreak > NUL"3⤵PID:4080
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set configaccesspolicy Default"3⤵PID:2476
-
C:\Windows\system32\bcdedit.exebcdedit /set configaccesspolicy Default4⤵
- Modifies boot configuration data using bcdedit
PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set MSI Default"3⤵PID:4540
-
C:\Windows\system32\bcdedit.exebcdedit /set MSI Default4⤵
- Modifies boot configuration data using bcdedit
PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set usephysicaldestination No"3⤵PID:1324
-
C:\Windows\system32\bcdedit.exebcdedit /set usephysicaldestination No4⤵
- Modifies boot configuration data using bcdedit
PID:5604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set usefirmwarepcisettings No"3⤵PID:2928
-
C:\Windows\system32\bcdedit.exebcdedit /set usefirmwarepcisettings No4⤵
- Modifies boot configuration data using bcdedit
PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')""3⤵PID:4940
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKCU\SOFTWARE\NVIDIA Corporation\Global\NVTweak\Devices\509901423-0\Color" /v "NvCplUseColorCorrection" /t REG_DWORD /d "0" /f"3⤵PID:5844
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\NVIDIA Corporation\Global\NVTweak\Devices\509901423-0\Color" /v "NvCplUseColorCorrection" /t REG_DWORD /d "0" /f4⤵PID:3800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "PlatformSupportMiracast" /t REG_DWORD /d "0" /f"3⤵PID:5852
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "PlatformSupportMiracast" /t REG_DWORD /d "0" /f4⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID73779 /t REG_DWORD /d 1 /f"3⤵PID:5860
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID73779 /t REG_DWORD /d 1 /f4⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID73780 /t REG_DWORD /d 1 /f"3⤵PID:5868
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID73780 /t REG_DWORD /d 1 /f4⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID74361 /t REG_DWORD /d 1 /f"3⤵PID:5876
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v EnableRID74361 /t REG_DWORD /d 1 /f4⤵PID:3496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f"3⤵PID:5892
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f4⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f"3⤵PID:5900
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f4⤵PID:720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f"3⤵PID:5908
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f4⤵PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f"3⤵PID:5916
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f4⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer" /v Start /t REG_DWORD /d 4 /f"3⤵PID:5932
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer" /v Start /t REG_DWORD /d 4 /f4⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v SendTelemetryData /t REG_DWORD /d 0 /f"3⤵PID:5940
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v SendTelemetryData /t REG_DWORD /d 0 /f4⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\Startup\SendTelemetryData" /v 0 /t REG_DWORD /d 0 /f"3⤵PID:5948
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\Startup\SendTelemetryData" /v 0 /t REG_DWORD /d 0 /f4⤵PID:5624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "PlatformSupportMiracast" /t REG_DWORD /d "0" /f"3⤵PID:5956
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "PlatformSupportMiracast" /t REG_DWORD /d "0" /f4⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f"3⤵PID:5964
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f4⤵PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f"3⤵PID:5972
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f4⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "RMDisablePostL2Compression" /t REG_DWORD /d "1" /f"3⤵PID:5980
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "RMDisablePostL2Compression" /t REG_DWORD /d "1" /f4⤵PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "RmDisableRegistryCaching" /t REG_DWORD /d "1" /f"3⤵PID:5988
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "RmDisableRegistryCaching" /t REG_DWORD /d "1" /f4⤵PID:5132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f"3⤵PID:5996
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f4⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DesktopStereoShortcuts" /t REG_DWORD /d "0" /f"3⤵PID:6004
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DesktopStereoShortcuts" /t REG_DWORD /d "0" /f4⤵PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "FeatureControl" /t REG_DWORD /d "4" /f"3⤵PID:6012
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "FeatureControl" /t REG_DWORD /d "4" /f4⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "NVDeviceSupportKFilter" /t REG_DWORD /d "0" /f"3⤵PID:6028
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "NVDeviceSupportKFilter" /t REG_DWORD /d "0" /f4⤵PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmCacheLoc" /t REG_DWORD /d "0" /f"3⤵PID:6044
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmCacheLoc" /t REG_DWORD /d "0" /f4⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')""3⤵PID:6052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f"3⤵PID:2340
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f4⤵PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f"3⤵PID:4980
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f4⤵PID:792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f"3⤵PID:2560
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f4⤵PID:5400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f"3⤵PID:1984
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f4⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f"3⤵PID:5392
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f4⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f"3⤵PID:5320
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f4⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f"3⤵PID:1504
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f4⤵PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Powershell -Command "Get-appxpackage -allusers *Microsoft.549981C3F5F10* | Remove-AppxPackage""3⤵PID:2332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Get-appxpackage -allusers *Microsoft.549981C3F5F10* | Remove-AppxPackage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')""3⤵PID:3484
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v AppCaptureEnabled /t REG_DWORD /d 0 /f"3⤵PID:5840
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v AppCaptureEnabled /t REG_DWORD /d 0 /f4⤵PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f"3⤵PID:2788
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f4⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')""3⤵PID:5052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f"3⤵PID:5988
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f4⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d 0 /f"3⤵PID:3592
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d 0 /f4⤵PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "SystemUsesLightTheme" /t REG_DWORD /d 0 /f"3⤵PID:5208
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "SystemUsesLightTheme" /t REG_DWORD /d 0 /f4⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')""3⤵PID:720
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set allowedinmemorysettings 0x0"3⤵PID:3212
-
C:\Windows\system32\bcdedit.exebcdedit /set allowedinmemorysettings 0x04⤵
- Modifies boot configuration data using bcdedit
PID:2440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "bcdedit /set isolatedcontext No"3⤵PID:5596
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No4⤵
- Modifies boot configuration data using bcdedit
PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f"3⤵PID:5864
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f4⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f"3⤵PID:2568
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f4⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f"3⤵PID:4428
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f4⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f"3⤵PID:5904
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f4⤵PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f"3⤵PID:5460
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f4⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f"3⤵PID:1400
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f4⤵PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')""3⤵PID:5200
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f c:\windows\temp."3⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f C:\WINDOWS\Prefetch"3⤵PID:3260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %temp%."3⤵PID:1116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %systemdrive%\*.tmp"3⤵PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %systemdrive%\*._mp"3⤵PID:2724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %systemdrive%\*.log"3⤵PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %systemdrive%\*.gid"3⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %systemdrive%\*.chk"3⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %systemdrive%\*.old"3⤵PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %systemdrive%\recycled\*.*"3⤵PID:500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %systemdrive%\$Recycle.Bin\*.*"3⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %windir%\*.bak"3⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %windir%\prefetch\*.*"3⤵PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %LocalAppData%\Microsoft\Windows\Explorer\thumbcache_*.db"3⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /s /q /f %LocalAppData%\Microsoft\Windows\Explorer\*.db"3⤵PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f %SystemRoot%\Logs\CBS\CBS.log"3⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f %SystemRoot%\Logs\DISM\DISM.log"3⤵PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "rd /s /q c:\windows\tempor~1"3⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "rd /s /q c:\windows\temp"3⤵PID:792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "rd /s /q c:\windows\tmp"3⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "rd /s /q c:\windows\ff*.tmp"3⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "rd /s /q c:\windows\history"3⤵PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "rd /s /q c:\windows\cookies"3⤵PID:5780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "rd /s /q c:\windows\recent"3⤵PID:2528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "rd /s /q c:\windows\spool\printers"3⤵PID:1732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')""3⤵PID:3216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')"4⤵
- Command and Scripting Interpreter: PowerShell
PID:1580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "26" /f"3⤵PID:3476
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "26" /f4⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "26" /f"3⤵PID:2084
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "26" /f4⤵PID:3116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')""3⤵PID:4088
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('DONE!')"4⤵
- Command and Scripting Interpreter: PowerShell
PID:2580
-
-
-
C:\Windows\SYSTEM32\curl.execurl -g -k -L -# -o %temp%\nvidiaProfileInspector.zip https://github.com/Orbmu2k/nvidiaProfileInspector/releases/latest/download/nvidiaProfileInspector.zip3⤵PID:5932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Expand-Archive %temp%\nvidiaProfileInspector.zip -DestinationPath C:\AV1\NvidiaProfileInspector\3⤵
- Command and Scripting Interpreter: PowerShell
PID:4296
-
-
C:\Windows\SYSTEM32\curl.execurl -g -k -L -# -o C:\AV1\NvidiaProfileInspector\ruizz.nip https://cdn.discordapp.com/attachments/1182472890684276766/1241203021204164649/av1.nip?ex=664957e4&is=66480664&hm=fd6f5c791cb87f15a8512a041c9c97e9e668a966fb2b550f2448fa7f7f589639&3⤵PID:3812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "iwr -useb https://christitus.com/win | iex"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3100
-
-
C:\Windows\SYSTEM32\curl.execurl -g -k -L -# -o C:\AV1.png https://drive.google.com/uc?export=download&id=16Eu7SkG8lfW8R6ibU7lg1-mnCF-I6QOU3⤵PID:5740
-
-
C:\Windows\SYSTEM32\reg.exereg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d C:\AV1.png /f3⤵PID:2600
-
-
C:\Windows\SYSTEM32\reg.exereg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f3⤵PID:6024
-
-
C:\Windows\SYSTEM32\RUNDLL32.EXERUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4680
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
Filesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
Filesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
Filesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
Filesize
31KB
MD56e0cb85dc94e351474d7625f63e49b22
SHA166737402f76862eb2278e822b94e0d12dcb063c5
SHA2563f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b
SHA5121984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a
-
Filesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
Filesize
174KB
MD55b9b3f978d07e5a9d701f832463fc29d
SHA10fcd7342772ad0797c9cb891bf17e6a10c2b155b
SHA256d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa
SHA512e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405
-
Filesize
62KB
MD51df0201667b4718637318dbcdc74a574
SHA1fd44a9b3c525beffbca62c6abe4ba581b9233db2
SHA25670439ee9a05583d1c4575dce3343b2a1884700d9e0264c3ada9701829483a076
SHA512530431e880f2bc193fae53b6c051bc5f62be08d8ca9294f47f18bb3390dcc0914e8e53d953eee2fcf8e1efbe17d98eb60b3583bccc7e3da5e21ca4dc45adfaf4
-
Filesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
Filesize
10KB
MD5d9e0217a89d9b9d1d778f7e197e0c191
SHA1ec692661fcc0b89e0c3bde1773a6168d285b4f0d
SHA256ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0
SHA5123b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d
-
Filesize
120KB
MD5bf9a9da1cf3c98346002648c3eae6dcf
SHA1db16c09fdc1722631a7a9c465bfe173d94eb5d8b
SHA2564107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637
SHA5127371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
768KB
MD519a2aba25456181d5fb572d88ac0e73e
SHA1656ca8cdfc9c3a6379536e2027e93408851483db
SHA2562e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337
-
Filesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
Filesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
Filesize
1.7MB
MD521dc82dd9cc445f92e0172d961162222
SHA173bc20b509e1545b16324480d9620ae25364ebf1
SHA256c2966941f116fab99f48ab9617196b43a5ee2fd94a8c70761bda56cb334daa03
SHA5123051a9d723fb7fc11f228e9f27bd2644ac5a0a95e7992d60c757240577b92fc31fa373987b338e6bc5707317d20089df4b48d1b188225ff370ad2a68d5ff7ba6
-
Filesize
34KB
MD5bd4ff2a1f742d9e6e699eeee5e678ad1
SHA1811ad83aff80131ba73abc546c6bd78453bf3eb9
SHA2566774519f179872ec5292523f2788b77b2b839e15665037e097a0d4edddd1c6fb
SHA512b77e4a68017ba57c06876b21b8110c636f9ba1dd0ba9d7a0c50096f3f6391508cf3562dd94aceaf673113dbd336109da958044aefac0afb0f833a652e4438f43
-
Filesize
21KB
MD508edf746b4a088cb4185c165177bd604
SHA1395cda114f23e513eef4618da39bb86d034124bf
SHA256517204ee436d08efc287abc97433c3bffcaf42ec6592a3009b9fd3b985ad772c
SHA512c1727e265a6b0b54773c886a1bce73512e799ba81a4fceeeb84cdc33f5505a5e0984e96326a78c46bf142bc4652a80e213886f60eb54adf92e4dffe953c87f6b
-
Filesize
1KB
MD5e9117326c06fee02c478027cb625c7d8
SHA12ed4092d573289925a5b71625cf43cc82b901daf
SHA256741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52
-
Filesize
746B
MD5a387908e2fe9d84704c2e47a7f6e9bc5
SHA1f3c08b3540033a54a59cb3b207e351303c9e29c6
SHA25677265723959c092897c2449c5b7768ca72d0efcd8c505bddbb7a84f6aa401339
SHA5127ac804d23e72e40e7b5532332b4a8d8446c6447bb79b4fe32402b13836079d348998ea0659802ab0065896d4f3c06f5866c6b0d90bf448f53e803d8c243bbc63
-
Filesize
25KB
MD5fe92c81bb4acdda00761c695344d5f1e
SHA1a87e1516fbd1f9751ec590273925cbc5284b16bd
SHA2567a103a85413988456c2ad615c879bbcb4d91435bcfbbe23393e0eb52b56af6e2
SHA512c983076e420614d12ab2a7342f6f74dd5dcdad21c7c547f660e73b74b3be487a560abd73213df3f58be3d9dbd061a12d2956ca85a58d7b9d9e40d9fa6e6c25eb
-
Filesize
620B
MD507532085501876dcc6882567e014944c
SHA16bc7a122429373eb8f039b413ad81c408a96cb80
SHA2566a4abd2c519a745325c26fb23be7bbf95252d653a24806eb37fd4aa6a6479afe
SHA5120d604e862f3a1a19833ead99aaf15a9f142178029ab64c71d193cee4901a0196c1eeddc2bce715b7fa958ac45c194e63c77a71e4be4f9aedfd5b44cf2a726e76
-
Filesize
23KB
MD5ddb0ab9842b64114138a8c83c4322027
SHA1eccacdc2ccd86a452b21f3cf0933fd41125de790
SHA256f46ab61cdebe3aa45fa7e61a48930d64a0d0e7e94d04d6bf244f48c36cafe948
SHA512c0cf718258b4d59675c088551060b34ce2bc8638958722583ac2313dc354223bfef793b02f1316e522a14c7ba9bed219531d505de94dc3c417fc99d216a01463
-
Filesize
5KB
MD5c62fb22f4c9a3eff286c18421397aaf4
SHA14a49b8768cff68f2effaf21264343b7c632a51b2
SHA256ddf7e42def37888ad0a564aa4f8ca95f4eec942cebebfca851d35515104d5c89
SHA512558d401cb6af8ce3641af55caebc9c5005ab843ee84f60c6d55afbbc7f7129da9c58c2f55c887c3159107546fa6bc13ffc4cca63ea8841d7160b8aa99161a185
-
Filesize
11KB
MD5215262a286e7f0a14f22db1aa7875f05
SHA166b942ba6d3120ef8d5840fcdeb06242a47491ff
SHA2564b7ed9fd2363d6876092db3f720cbddf97e72b86b519403539ba96e1c815ed8f
SHA5126ecd745d7da9d826240c0ab59023c703c94b158ae48c1410faa961a8edb512976a4f15ae8def099b58719adf0d2a9c37e6f29f54d39c1ab7ee81fa333a60f39b
-
Filesize
1.5MB
MD59fb68a0252e2b6cd99fd0cb6708c1606
SHA160ab372e8473fad0f03801b6719bf5cccfc2592e
SHA256c6ffe2238134478d8cb1c695d57e794516f3790e211ff519f551e335230de7de
SHA512f5de1b1a9dc2d71ae27dfaa7b01e079e4970319b6424b44c47f86360faf0b976ed49dab6ee9f811e766a2684b647711e567cbaa6660f53ba82d724441c4ddd06
-
Filesize
21KB
MD5aeb53f7f1506cdfdfe557f54a76060ce
SHA1ebb3666ee444b91a0d335da19c8333f73b71933b
SHA2561f5dd8d81b26f16e772e92fd2a22accb785004d0ed3447e54f87005d9c6a07a5
SHA512acdad4df988df6b2290fc9622e8eaccc31787fecdc98dcca38519cb762339d4d3fb344ae504b8c7918d6f414f4ad05d15e828df7f7f68f363bec54b11c9b7c43
-
Filesize
18KB
MD5007f42fbcdc57652ac8381f11af7fb67
SHA11bb1b0fcad6f5633d1beb8903112f180b1c4ba7f
SHA25665ba33a1e0b21e8e074780a51189cee6fd9926c85273e9e7633987fc212a17b2
SHA512a27089719adafc48b5abb905e40d0c6a0a2507526223d72c1cff36ab7c15362c6f0b8ee5775181ba1730852802afa64631ee3720e624b630e3274bfb32f6a59a
-
Filesize
10KB
MD5995a0a8f7d0861c268aead5fc95a42ea
SHA121e121cf85e1c4984454237a646e58ec3c725a72
SHA2561264940e62b9a37967925418e9d0dc0befd369e8c181b9bab3d1607e3cc14b85
SHA512db7f5e0bc7d5c5f750e396e645f50a3e0cde61c9e687add0a40d0c1aa304ddfbceeb9f33ad201560c6e2b051f2eded07b41c43d00f14ee435cdeee73b56b93c7
-
Filesize
14KB
MD5804e6dce549b2e541986c0ce9e75e2d1
SHA1c44ee09421f127cf7f4070a9508f22709d06d043
SHA25647c75f9f8348bf8f2c086c57b97b73741218100ca38d10b8abdf2051c95b9801
SHA512029426c4f659848772e6bb1d8182eb03d2b43adf68fcfcc1ea1c2cc7c883685deda3fffda7e071912b9bda616ad7af2e1cb48ce359700c1a22e1e53e81cae34b
-
Filesize
38KB
MD5b7daa21c1c192b8cb5b86cbd7b2ce068
SHA1ae8abf9017f37ccdf5d0d15de66bb124a7482ba0
SHA256312af944a276cdbf1ee00757ef141595670984f7f13e19922c25643a040f5339
SHA512b619e3b8be5ec4545e97b7a7a7f7fecc2aafa58438f9ca3819f644720cf5ff5c44da12ac25988570e595d97cad799f87d93c24d5e67a7a953b9f5312952fbeb6
-
Filesize
5KB
MD5286c01a1b12261bc47f5659fd1627abd
SHA14ca36795cab6dfe0bbba30bb88a2ab71a0896642
SHA256aa4f87e41ac8297f51150f2a9f787607690d01793456b93f0939c54d394731f9
SHA512d54d5a89b7408a9724a1ca1387f6473bdad33885194b2ec5a524c7853a297fd65ce2a57f571c51db718f6a00dce845de8cf5f51698f926e54ed72cdc81bcfe54
-
Filesize
376B
MD58a0517a7a4c70111080ed934329e2bc5
SHA15b465e0d3500a8f04ee1c705662032f44e2ed0d2
SHA256a5d208887a94832328c3a33928a80f3b46aa205c20db4f050a47d940e94071b4
SHA512d9f502a006a5e0514fd61426818ad1f4168e449588f9d383d6b0bf87a18be82c420863a9a28e1beb441284a0b1bc2a0b3d3276a0fe3196341aec15a27920de5d
-
Filesize
8KB
MD5d45202d3d2d052d4c6bfe8d1322aab39
SHA18cdf184ac2e9299b2b2a107a64e9d1803aa298de
SHA2560747a387fdd1b2c7135eceae7b392ed52e1d1ebf3ffa90febe886dbc0981eb74
SHA51227b005f955bae00d15c4492e7bd3ebdc5ee3bf9c164c418198b4bd185709c8810aa6cf76cbcc07eeb4c1d20f8c76ef8df8b219563c18b88c94954c910bff575d
-
Filesize
12KB
MD55249cd1e97e48e3d6dec15e70b9d7792
SHA1612e021ba25b5e512a0dfd48b6e77fc72894a6b9
SHA256eec90404f702d3cfbfaec0f13bf5ed1ebeb736bee12d7e69770181a25401c61f
SHA512e4e0ab15eb9b3118c30cd2ff8e5af87c549eaa9b640ffd809a928d96b4addefb9d25efdd1090fbd0019129cdf355bb2f277bc7194001ba1d2ed4a581110ceafc
-
Filesize
16KB
MD5eaa36f0aa69ae19ddbdd0448fbad9d4d
SHA1eb0adb4f4d937bac2f17480adaf6f948262e754d
SHA256747889c3086c917a34554a9dc495bc0c08a03fd3a5828353ed2a64b97f376835
SHA512c8368f19ec6842ed67073b9fc9c9274107e643324cb23b28c54df63fb720f63b043281b30dbea053d08481b0442a87465f715a8aa0711b01ce83ff7b9f8a4f4c
-
Filesize
34KB
MD59ca5094ed6fe46620abf090bf8e2ae63
SHA160dc3c2e3f69ce5b6db4f2b3a1f3c109d766bc63
SHA256ab88556e349f03baca2d8dc2121071a4f299db86f484cab2d9249ff4c7007564
SHA5120b0c20a754be744a7fa214ba06ab0744a9bc466d51f96310d97ea1e61119a8acfef24e6dc5c4ebdd2c126bf84ace74ffe622e9641c87e5a240dd13d1f7b5e6af
-
Filesize
23KB
MD5184d05201893b2042d3fa6140fcf277c
SHA1aad67797864456749adf0c4a1c0be52f563c8fb8
SHA2561d5e7518afc1382e36bf13fc5196c8a7cd93a4e9d24acf445522564245a489b0
SHA512291bdf793cabc5ec27e8265a8a313fe0f4acab4db6ce507a46488a83eef72cd43cf5815762b22d1c8d64a9eedea927e109f937e6573058e5493b1354dd449cb3
-
Filesize
2KB
MD5d4bf1af5dcdd85e3bd11dbf52eb2c146
SHA1b1691578041319e671d31473a1dd404855d2038b
SHA256e38a9d1f437981aa6bf0bdd074d57b769a4140c0f7d9aff51743fe4ecc6dfddf
SHA51225834b4b231f4ff1a88eef67e1a102d1d0546ec3b0d46856258a6be6bbc4b381389c28e2eb60a01ff895df24d6450cd16ca449c71f82ba53ba438a4867a47dcd
-
Filesize
4KB
MD51a799fe3754307a5aade98c367e2f5d7
SHA1c64be4b77f0d298610f4ee20fcebbaee3c8b5f22
SHA2565b33f32b0139663347d6cf70a5a838f8e4554e0e881e97c8478b77733162ea73
SHA51289f367f9a59730bcdfc5abde0e35a10b72a1f19c68a768ba4524c938ef5c5caf094c1bfa8fc74173f65201f6617544223c2143252a9f691ee9aaa7543315179f
-
Filesize
5KB
MD580331fcbe4c049ff1a0d0b879cb208de
SHA14eb3efdfe3731bd1ae9fd52ce32b1359241f13cf
SHA256b94c319e5a557a5665b1676d602b6495c0887c5bacf7fa5b776200112978bb7b
SHA512a4bd2d91801c121a880225f1f3d0c4e30bf127190cf375f6f7a49eb4239a35c49c44f453d6d3610df0d6a7b3cb15f4e79bd9c129025cc496ceb856fcc4b6de87
-
Filesize
4KB
MD5af45b2c8b43596d1bdeca5233126bd14
SHA1a99e75d299c4579e10fcdd59389b98c662281a26
SHA2562c48343b1a47f472d1a6b9ee8d670ce7fb428db0db7244dc323ff4c7a8b4f64b
SHA512c8a8d01c61774321778ab149f6ca8dda68db69133cb5ba7c91938e4fd564160ecdcec473222affb241304a9acc73a36b134b3a602fd3587c711f2adbb64afa80
-
Filesize
8KB
MD551086bc3315a4ae4a8591a654cfc3cea
SHA12ac08309c63575b7a01fa62d3c262643cd8c823a
SHA2564aa041c050758b3331dc395381f7fbce81e387908fc7a3c6107c4e7140f56f2e
SHA5126d69f7eac9d5af3b3ea85ae3e74bdfa6278789502d5e35efe94349bfc543503be7540d783d2632e349dd53f21074c702ac1fc487ee70c74234a08397f7238723
-
Filesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
Filesize
143KB
MD5297e845dd893e549146ae6826101e64f
SHA16c52876ea6efb2bc8d630761752df8c0a79542f1
SHA256837efb838cb91428c8c0dfb65d5af1e69823ff1594780eb8c8e9d78f7c4b2fc1
SHA512f6efef5e34ba13f1dfddacfea15f385de91d310d73a6894cabb79c2186accc186c80cef7405658d91517c3c10c66e1acb93e8ad2450d4346f1aa85661b6074c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82