Analysis
-
max time kernel
220s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-08-2024 20:35
General
-
Target
https://cdn.discordapp.com/attachments/898568244867248158/1275147670406692916/EXM_Free_Tweaking_Utility_V5.bat?ex=66c626cf&is=66c4d54f&hm=eff5492c3e8b688f3a2fd0750cf15d58c1aa7eb393be5226ba21ccea3099e7b8&
Score
10/10
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies security service 2 TTPs 3 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 26 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 52 IoCs
Using powershell.exe command.
-
Indicator Removal: Clear Persistence 1 TTPs 46 IoCs
remove IFEO.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Power Settings 1 TTPs 20 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 63 IoCs
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 45 IoCs
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 43 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 55 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/898568244867248158/1275147670406692916/EXM_Free_Tweaking_Utility_V5.bat?ex=66c626cf&is=66c4d54f&hm=eff5492c3e8b688f3a2fd0750cf15d58c1aa7eb393be5226ba21ccea3099e7b8&1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd15f846f8,0x7ffd15f84708,0x7ffd15f847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5684 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,13441639313072761097,9646480891867439583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\EXM Free Tweaking Utility V5.bat"1⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_UserAccount where name="Admin" get sid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exefindstr "S-"3⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Enable-ComputerRestore -Drive 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloading rescourses (power plan, Nvidia profile inspector & more)', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\curl.execurl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://www.dropbox.com/scl/fi/ol6iglzmy3mp4kho2uow9/EXM-Rescourse-Folder-V5.zip?rlkey=venmttj46rax32s84s4buyeu3&st=lbf90aey&dl=0"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\exm'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloaded rescourses successfully', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaCapabilities" /t REG_SZ /d "" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsAssignedAccess" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsWindowsHelloActive" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d 3 /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchSafeSearch" /t REG_DWORD /d 3 /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\SearchCompanion" /v "DisableContentFileUpdates" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DoNotUseWebResults" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "10" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exefindstr "{"3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5AD9DFCC-84C8-41D4-AB3D-0B17D899546C}" /v InterfaceMetric /t REG_DWORD /d 0000055 /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
-
C:\Windows\system32\findstr.exefindstr "{"3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5AD9DFCC-84C8-41D4-AB3D-0B17D899546C}" /v TCPNoDelay /t REG_DWORD /d 0000001 /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
-
C:\Windows\system32\findstr.exefindstr "{"3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5AD9DFCC-84C8-41D4-AB3D-0B17D899546C}" /v TcpAckFrequency /t REG_DWORD /d 0000001 /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
-
C:\Windows\system32\findstr.exefindstr "{"3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5AD9DFCC-84C8-41D4-AB3D-0B17D899546C}" /v TcpDelAckTicks /t REG_DWORD /d 0000000 /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\netsh.exenetsh int ip set global taskoffload=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\powercfg.exepowercfg /h off2⤵
- Power Settings
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "SleepReliabilityDetailedDiagnostics" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /deletevalue useplatformclock2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\fsutil.exefsutil behavior set memoryusage 22⤵
-
C:\Windows\system32\fsutil.exefsutil behavior set mftzone 42⤵
-
C:\Windows\system32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
C:\Windows\system32\fsutil.exefsutil behavior set disabledeletenotify 02⤵
-
C:\Windows\system32\fsutil.exefsutil behavior set encryptpagingfile 02⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "BackgroundPriority" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "Medium" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "BackgroundPriority" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Remove-Item -Path \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\" -Recurse -ErrorAction SilentlyContinue"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Indicator Removal: Clear Persistence
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "MoveImages" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get TotalVisibleMemorySize3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "5217772" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "1000" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "IoPriority" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "Latency" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "122" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "58" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "32" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "32" /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL "$Devices = Get-PnpDevice | ? Status -eq Unknown;foreach ($Device in $Devices) { &\"pnputil\" /remove-device $Device.InstanceId }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" /remove-device SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&0000013⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" /remove-device SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&0000023⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('This will apply all tweaks in the windows page', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoftd\Office\OfficeTelemetryAgentFallBack"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "\Microsoftd\Office\OfficeTelemetryAgentFallBack" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\Office 15 Subscription Heartbeat"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "\Microsoft\Office\Office 15 Subscription Heartbeat" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Time Synchronization\SynchronizeTime"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Device Information\Device"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "\Microsoft\Windows\Device Information\Device" /disable2⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AppModel" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Cellcore" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\CloudExperienceHostOobe" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DataMarket" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\HolographicDevice" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\iclsClient" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\iclsProxy" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Mellanox-Kernel" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-AssignedAccess-Trace" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PEAuthLog" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RdrLog" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatform" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatformTel" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SocketHeciServer" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SpoolerLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TileStore" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TPMProvisioningService" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSession" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSessionRepro" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WinPhoneCritical" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableThirdPartySuggestions" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp" /v "DebugLogLevel" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewymicrosoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\sc.exesc stop DiagTrack2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config DiagTrack start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dmwappushservice2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop diagnosticshub.standardcollector.service2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DoReport" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKU\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0"2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKU\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKU\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable2⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Note: (After presing "ok" it will open an app called windows update blocker, Disabling Windows Updates will break microsoft store, if you want to use it again simply press "enable" in windows update blocker ', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\exm\Windows_Update_Blocker.exeC:\exm\Windows_Update_Blocker.exe2⤵
- Modifies security service
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\WindowsUpdate\Scheduled Start" /disable3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /disable3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /disable3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Work" /disable3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Report policies" /disable3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /disable3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /disable3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /disable3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /disable3⤵
-
C:\exm\Windows_Update_Blocker.exe"C:\exm\Windows_Update_Blocker.exe" /SYS 0 13⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\WindowsUpdate\Scheduled Start" /disable4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /disable4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /disable4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Work" /disable4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Report policies" /disable4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /disable4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /disable4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /disable4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /change /tn "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /disable4⤵
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Enable-MMAgent -MemoryCompression"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "StorPort"| findstr "StorPort"2⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "StorPort"3⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\findstr.exefindstr "StorPort"3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "EnableHIPM" | findstr "HKEY"2⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "EnableHIPM"3⤵
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain1⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\EXM Free Tweaking Utility V5.bat"1⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_UserAccount where name="Admin" get sid3⤵
-
C:\Windows\system32\findstr.exefindstr "S-"3⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Enable-ComputerRestore -Drive 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloading rescourses (power plan, Nvidia profile inspector & more)', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\curl.execurl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://www.dropbox.com/scl/fi/ol6iglzmy3mp4kho2uow9/EXM-Rescourse-Folder-V5.zip?rlkey=venmttj46rax32s84s4buyeu3&st=lbf90aey&dl=0"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\exm'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloaded rescourses successfully', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -PageCombining"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Set-MMAgent -MaxOperationAPIFiles 2048"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Set-Service sysmain -StartupType Automatic"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Service sysmain"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolQuota" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolSize" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolQuota" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolSize" /t REG_DWORD /d "192" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d "1024" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionPoolSize" /t REG_DWORD /d "192" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionViewSize" /t REG_DWORD /d "192" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SystemPages" /t REG_DWORD /d "4294967295" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PhysicalAddressExtension" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "IoPageLockLimit" /t REG_DWORD /d "16710656" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PoolUsageMaximum" /t REG_DWORD /d "96" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('After you press ok it will open an app, Go to the LOGON section, disable all services except: antivirus, cmd.exe, and the n/a services', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\exm\Autoruns.exeC:\exm\autoruns.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "Intel" | findstr "HKEY"2⤵
-
C:\Windows\system32\reg.exeReg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "Intel"3⤵
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "512" /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Do NOT do these if your pc has bad overheating issues', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v CoreParkingDisabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
C:\Windows\system32\bcdedit.exebcdedit /set allowedinmemorysettings 0x02⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\powercfg.exepowercfg /setACvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 12⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg /setDCvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 12⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} numproc 22⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor IDLESCALING 12⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor THROTTLING 02⤵
- Power Settings
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_USBController get PNPDeviceID| findstr /l "PCI\VEN_"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_USBController get PNPDeviceID3⤵
-
C:\Windows\system32\findstr.exefindstr /l "PCI\VEN_"3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "D3ColdSupported" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "EnableSelectiveSuspend" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters" /v "SelectiveSuspendOn" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "31" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v "ThreadPriority" /t REG_DWORD /d "31" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v "ThreadPriority" /t REG_DWORD /d "31" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v "ThreadPriority" /t REG_DWORD /d "31" /f2⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\USB" /v "DisableSelectiveSuspend" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_USBController get PNPDeviceID2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_USBController get PNPDeviceID3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_IDEController get PNPDeviceID 2>nul2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_IDEController get PNPDeviceID3⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Do NOT do these if your pc has bad overheating issues', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\powercfg.exepowercfg -import "C:\exm\Exm Free Power Plan V4.pow"2⤵
- Power Settings
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\powercfg.cpl",2⤵
- Power Settings
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\powercfg.cpl",3⤵
- Power Settings
- Modifies registry class
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Note: If you want to revert anything, you can do it in our revert category on the main page of the utility', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\GameBar" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"2⤵
-
C:\Windows\system32\sc.exesc config xbgm start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config XblAuthManager start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config XblGameSave start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config XboxGipSvc start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.People* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsAlarms* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsCamera* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsMaps* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -command "& {Get-AppxPackage *Microsoft.3dBuilder* | Remove-AppxPackage}2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *Sway* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *WindowsAlarms* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers *WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "sendcustomerdata" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "includescreenshot" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "SendTelemetry" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "qmenable" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "updatereliabilitydata" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "shownfirstrunoptin" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "skydrivesigninoption" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\ptwatson" /v "ptwoptin" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\Firstrun" /v "disablemovie" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "Enablelogging" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "accesssolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "olksolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "onenotesolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "pptsolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "projectsolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "visiosolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "wdsolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "xlsolution" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "agave" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "appaddins" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "comaddins" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "documentfiles" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "templatefiles" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Get-appxpackage -allusers *Microsoft.549981C3F5F10* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
2Ignore Process Interrupts
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
10Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
6KB
MD5dfb32e37e09823655801ea3a54b20990
SHA16834fa159e5ea1faaf7b995b29b42a1cf045e948
SHA256e9152421d0284a16fee3e5844566968fba3536f4bfb2fe2f98cb5ff681317d54
SHA5122ee9fc406cf818dab07dc4963e215f456d794faceeb893488edd25b0ada16ffb1a4bbcb1cdc7adf0727a0ea0d366908280c922daa020efd60a72b046615fe80a
-
Filesize
5KB
MD58af6b00c065dcf9f2289425325622e4a
SHA1ba4fa0e88129e9d5cfb754814a7f74d7e7f0acd7
SHA2566f2d8d38006198d8321ad7225ae67b85ea72e8f41e5707f80d3b592e69b5f16f
SHA5125a10f4d0393529af9b21c26116938ff9457e451d6c929205b2471929ef5ac31e272621e18dd9661dc5c440c5c8115788ea28f2216dd13d1a5d7c02e0f343c39e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD50198e59eb68daad73f0655a677c4d13f
SHA1df7fcb7f7250b816dd5aedd1e375a4039339b0e4
SHA2567b715fd2d362d2736927675b7d3f7dfb076b461a641934183724c1340bd75cda
SHA5126d2b953e3c9bdac539ffec45678301b1f1a61eecf2bdb0375f17cec6ea3a99aa404f6e207678bbece2652a9a6fb521db143a52271cb1d3036dbd8eb8983a427c
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
1KB
MD5224dcf4c17389871fa59fe45c7acd94a
SHA1d02998277a18745bc5a5209d80a4d5c5077772ff
SHA256c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e
SHA5128e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10
-
Filesize
1KB
MD529f36d03b20ef78592e43b5cac65e00c
SHA1451b03ada961171aa3b19f0ff5843746abf0fdaa
SHA256dabeae8ead2d3e3370f60103603efc234378051b9a61c3c86f8b184481a23405
SHA512d515adc8b4a3d164beef161830305905b9afbb986e30ba3a878395965f853ed857edefdb9238302d5c72fa0c8bfbcd4f9d39da35f57594c047b83b7518086490
-
Filesize
1KB
MD52bac0efb0684af12599ba7a79601dd55
SHA15e73fbf1fa96362915f5824076d7e9ae0ef9411c
SHA256fc28155db5285cf89e2336c508c7b1e0ba1642899ff3514d90117ba0328b4c62
SHA51285dcfdb9c9316c96aebd0a6711a20609852eb76ea6dba6ddbc84c4dab6cd9b699a60dd2ad8f9f55965fd7dadd97bf578788a9e7c2dc9a7f90179a7faeceb5ce9
-
Filesize
64B
MD5eda44076dc3e4270fec4fcf70b27c7ff
SHA144c9b863d5df65dc9717aa863ed39ebcb6110269
SHA25698adfaf9b0f36986dbfbde6cb28a77d39278606966991514ccf5a62d23f85d52
SHA5128f94d6b73f418bd8d026593672416f013e6e589347a6d9608f065b04c8de16daabedade712b509b2e571ac5e67e71ca6d18971b5ccbfbdf9cf079c36034fa31a
-
Filesize
1KB
MD5561ad4794e22ab68a6811d88e43d6c06
SHA13dcd045d3e0fb917c67ec36cfe102e50a9b3c41c
SHA256250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade
SHA51200273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96
-
Filesize
1KB
MD5c5280756995d6f84df21a274f2ddec57
SHA1e3a50e9988088f93e4ee43b3d2195f3aa6bc78a4
SHA2562e2373a812b748f7a24e41b1d6ef30cb414d904478c7829433b43b3270413a47
SHA5129dd1fd35efcea7ebdf5b1c1ce7388fe53180771da7a0485031eae894c5df0278a12f7db7e3e5d2017491c2af1f8ec61a9a89056a06dfece450f593f74889ab73
-
Filesize
1KB
MD5f48bf1350c45968fe355d86e683c6ecd
SHA13f2a35e2802bdb4e2d45d05e6f87dc77b1da6487
SHA2564b0827173fe5198c25b2e296984d3d6aa70e2bc8c0982f82b728a42ff319ee7c
SHA512701f8359debfaded50d55e11adecc50f16c70cf87d6c2a9dc0f36b034f5862d8a4c19f6154ea2db483ff6d0bbce13b14d6740a217a084df6cc63c6df817a5547
-
Filesize
1KB
MD5baee17361b4a62b01d799c449ac4c71b
SHA11e16f49d1bf3ba68683f55810e0df1231dab2ce0
SHA256db9b9ce1ac1e61f42d1bf367cbe590fba975e8ff9a5f14f2d95f7d9f08bd7ccd
SHA512b006dccf96dc01542135d0ef988607bf63a4f83d40cd980ba14752c61ee5f532dd6968551ec58fd3089f873bcca82f99ddd4bcae393373ae87abf15b6bd87ca6
-
Filesize
64B
MD5158a72355ea99a8bc04d0b6a380cc97c
SHA1750fff9e378ca754a4534371e54624f7e90b796f
SHA256c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c
SHA5120f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545
-
Filesize
1KB
MD508a4f1e8e388ab7244ad9cb1f4490533
SHA112d710f55831264638a960a95eb75cc083dc92bc
SHA256c5514167b282318ef09ceadee042dd00f14ed66f61820d4605313f42f1f301e4
SHA5120ae8c89b047f32573d01280d1b20677478dbfb7ef9d62f1069d09a1d9be4ba2e0b7e437630f7aa3f9711b0bdcdd0dd67f4f8523eae861caa656c28f8dd14c4ad
-
Filesize
1KB
MD5d766a3d85d77fc07891eff99ded680e3
SHA110f417cd10a6515d1d6438d8050f088bd8f9a3d7
SHA256001270d40b7a870d4b3e2f5663a5ef62f75365eedbfd12d25338444f2f6415df
SHA512a73d67f52a46d564c518d15dc8d20eb0bb21e6b32553885e593e922318bfeede482eff2c787c211e1886747fae1fd65c9d3407e41f87a6ab997ebedfe4ba14d8
-
Filesize
1KB
MD59e189c9294ad1f8bc483a89f47e7fee4
SHA1898f1d7087397d55ca3579dd7d3262af8d300637
SHA2566e83d12188eff5312687e24118c214bdfd8c3d83ed51aa0c7fdedba23f5db4e6
SHA5121c2a5cd34cbd621bc53e34d9da411c8bdae52501371a66eda1c61ead9d3c92575019f34fbcc441e187b7d8ffc17f13d96c19df9ce6f41dedf4cfc0cda718991f
-
Filesize
1KB
MD589f447f9679aa7770f0221226de8bae6
SHA18c57bb0160b035380f58dc53025074fb566353e0
SHA25611d74fa2ea36081a1cdf466a3691c0c54c919414e7ad49be8a91b450105545bd
SHA512e5b8d179324d4556bcc639ece69291d1afda1c8e362620081f96248436cefa888e9c899de6b6f31bc2e5976d62cc6047406e3d79f83afbf4f8a7c5f5c49c337e
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD557f4775a82b6280d0cfafc5dd2298888
SHA15ef1214c1c56b4a5eda56bbbe61209a723dfc120
SHA256e83f3ef8c327cdd65cc21f5f6ae05a1c4d855e116cce2668e4fd70169c77d6e2
SHA51272baa75eb1cb9c795b99681e0cbe7cf53c86a684c60178ff5bbba1b10da23fb7c160625d3154edd24a9296cc0cd4f6561b14ec729eb771616a16fd60226a8f99
-
Filesize
1KB
MD5091fb1a5d5b29634d9df692084a633e2
SHA12d030e620b6ca506301360af5b9e2040829be58a
SHA25657263d1948abb10892a071dc6087127b3b363a1b829d2772b39cb8619e685aca
SHA5125595f12b451c09c28f6490ef655eb20337545c551bb0562bd347fc68ef0d4e3afc3c56b3449a8fac00c5452119d10808acdbba969d3a3f5ec0d582095302eeb4
-
Filesize
1KB
MD5ce9a1f3ab12b723841a733645d214bea
SHA1722cc729a46c1db1a04641d2cbfcf95e16b628a6
SHA256174b3d3c313fe6523162bebf7d3c324fdbb67b43711cdd41610139d37bb2b090
SHA5127213e5279dc0eea5195e65f745eba1abaaa981def351e7f6ea16cf2dfea125972ed49d3f82e6429410d39e9613377265799caf6e8619bb33600dca21222f0140
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD5033d56e7344879563ef6601c76b4ef35
SHA1b5a4d03e2957c448ee05d9dcba88a09cb02ed27e
SHA2560376e8ff1ed91584b855a82bb3920dba1283c353fd02eff6f0d82a16e1d78c3b
SHA512099fa8d6e9d3c249c9c84b46725a2ff9ece2a7d12dd7afa3985ad448e829a84f10a044155087ad6a049243599eb1e0c9fa620648cd8f33c485f8f5aff288f038
-
Filesize
247KB
MD5b468be24719cc639f8f9a0b681882edc
SHA1d76acac99a80c1a57f6d53094b073b8050a4c282
SHA256a9a4f1d70e2a64eca01854198c9a81cf27557e4156731647655ca2a1a3db4501
SHA512a6a9cffc5d5f131049751b55dec7f825dd50d27481d6d8f2536f803b4c6033befe7672d103a8516ddcecf8182b0200edb6e6893f0ed49be710403d1aeba350d2
-
Filesize
296B
MD5c71e7dc482ec9d8ca71db3ee0c2248f8
SHA19f46a40b0c748912ad16e523ff1e88167801e92e
SHA256104cb42b8c9bd3409b610fdab9f3a01c781d3d418365d7be2b45fa4a0ec9bfd2
SHA512a6086c1b819c02ae332682a1414c62dc4aba0faa25d677f4597b995e0e0a9e528b50cfb5c57c317cf6e5fad2ba7d7dde682d5374568abb6ac5c2364162eaa279
-
Filesize
296B
MD573668ac25bc7294925fcaa52d418b4df
SHA1cc7ab9442a61d91ff52084658ecaab63c06a5984
SHA2569dfbd4c02db6888f078d1228cc548bc10084282a81252d7d008c001521ce274a
SHA512372fc932f03efc5f27256c8b7e744badf971b3caa540b209039c4160036dca28c7c6df85afcbb131cbb0a4ef80505803f6a4e058f50a9aec208161ad9826727c
-
Filesize
26KB
MD54aa49e4675eb60bb6b420280f3f23e2b
SHA1854afe272628ff19d8da29894422aef10a6b7535
SHA256d08129c321cc54c9a7e076ae5db60cf78049239afe0f927c12d1144715356186
SHA512cbf2895729b0a78dd3b927d659aa11402693901bcac69689941cc5cfd855724f1eff8de3b7d0b819f2e89d614226ab52b2eae458b8143719c23463b3c8339505
-
Filesize
744B
MD5820a690d59f2a911b0b9c646a3f3fd22
SHA120f15d86711af72509b34991e30fb068b7614192
SHA256530ffaff9851498f71978109bf8634f31b6afff0c13d55080e29a87724155a21
SHA512d5e5dba05d30265a50995f0b16cb96e4b1c8a814844675e258d109ec121c6b0d5f2a4b7989e736c645419dcd465faac9d82b756b2bb15ac3f61ddca40687796c
-
Filesize
1KB
MD57da8aba2ac783621376f191933b6f16a
SHA1a936b71a732ee89b644ecefaaa61d9c3ce30c504
SHA256b3dd6851985f083459b0021d66cd94d91899518267602da21feb812d35f99111
SHA512bbd0b3bcf03642a7a82bef05249f00efec6a9cdc517cf67a601ea0cdcac4a66d6e66df8058447097a0c32feb2266991d216a7a55b254dc38bcedd3a38c25b2e5
-
Filesize
1KB
MD5fd6c65c83e21814c842e1faf398da3ec
SHA11a558116268ce70578f6dbbf0c98664ef100a901
SHA25636155f9f56c057ce7294976f481e18d488a726917f47cf046cdedfcda517c223
SHA512e7d09cec8409961872dd57c6dc02d6633ed4a2d1c5bf368471aef220c6afa5bd532e939c99eb9fa5654177aa5b2acc7e611693b75585fec10fbeb57cbab4db41
-
Filesize
1KB
MD5b56bd59d80921215ac913cd30e97550c
SHA1a47f14216f6caec1b9721740590b45961c2ceded
SHA2560906d88119c31b87bf6325476f580e603caf3ed38cb0b6721967b649d7c9eee0
SHA512c5c763ba3341820c631c73e4aa8c216ffd0da9dd59a4082db20597049bd6d52bd76438ddcd9f80f89ae5578072d4b793f90f163b2174c957997b7ffb05e951a1
-
Filesize
2KB
MD5675f3d6e528e178645fb5011b4c89cff
SHA1a7d72e051cecf50449853020545a904f49d5431b
SHA256a14e1c5ccaf1dbd64250e5b6e076638d3bf89de61d7589bab6dc647aac8bb88d
SHA5122676e5bb11f02a3dd27baf25e54a3dce975dd3c4c99dfbeed20ac73b9abc00ae469d392a70bdfaab3d035da7bd5304dfe2d783959fc9f9679b554393db73dd0a
-
Filesize
4KB
MD59537ba7b9a96b8c5205c0033d88a1e1c
SHA1ad9a7f2342ecce9ea9e8c67ad9310c41be6fe6b6
SHA2567cfcbf8c0fb8c4d4660b553a70daf58f2cc316c5411aef1cbdd5e97142f80eb9
SHA512200266902bca46ca0797c672f2d5b873f89d1ce467b2053235f69bf10d3c3c172607d076bad6133e3bff53d5e5d326b79978d56f35cbacd67ae58d0166869a95
-
Filesize
3KB
MD55bb974d2949ece7752cf68b1001fd094
SHA1697c828d7ea49ba89e0777c66906c9061a49cc7f
SHA2563fa3df103bd454eb9f85c497f3313bff3a86a82ffd73d72929946c8bcf370520
SHA512454ae4e9561d9d2f4e0a422eab3e0f158c766576c798b6b2bd3bb02f0b78bf80467aed10ac27adbb094bf92c8d2371d17315dd2116e7df2b341100a627de8876
-
Filesize
3KB
MD5a4609c9f921a4d1a15ab8a32f1ccb856
SHA19483798e75262c611229a7ca448c1c7b6c572a6c
SHA256efbd3a97861fa1c3dc82a86683e35fd9da9493c5fd3f1084e321f35e5221d5c6
SHA512b733aa93ed7b8566bbd3e6734082bed72d5283d0deffffa0f260b093e7c67ab9b9f15b888f91988b723db1d62e59bddd53405f3bb1dbacdca044a8f3e1be420b
-
Filesize
1KB
MD52cce4b21fa6562708b9e606e4f915ebb
SHA1e6c1134b5065bdbc11f29aa949aee9aac83a5d9a
SHA256604883057282ad0ea9f30119df8e5c3aab6d32ebec2fe1fb4b3fb5d5f2d8bab0
SHA5121e3e8da8ab86aec266fe92281d225a3ebbcd1e49f3aedb3102095fd4afac8f9541533ed7f0b7600a98b2601b9642e385b1021a77d5b656b90af97508eeeafe92
-
Filesize
55KB
MD51bd9a5015554dfbf5607b07d8e3fe902
SHA1747c65ef25ac758c439886d48145566a2a9049a1
SHA256797ed20c49da71f721ff3f0fe308dba9f026bd400871cd2f3f54eed79c216fa0
SHA51291525c9fa05ac44a41e3490f09beed1fe3ebc672c513002a53a08913013a2a532a8bea4df3cac9a370e6b224352a01896d8940d7813fc161f32cc14b7d944c6f
-
Filesize
55KB
MD50efe86576a7a090b58f7cbea3c5f786a
SHA106a9bf5599672e3857e38d9f37ae52be13f5368c
SHA2560bcfdd4c5b19139a8fa565a8d33e29e4b27bfa6c7e4e81115b10410c1ab8beb3
SHA512f413d895c4623ec1389e1618674fedbc59169ebdfe2cdfda75e0635ed3a77456ef4fc766e5aedd22c5f2c0abcf0327bf3e0fb7534c08238ad1e3af7029803b94
-
Filesize
1KB
MD5b8f2889aecfdcbcec8cd731874a49163
SHA1e0c563cf2893b8b26daaaf26dcae66de2b7782e9
SHA256e7239ca474c09220cd1d82eccd8f79c4e78c11d24290e0f876ace45d52ba4236
SHA512d9ca0103cb6459429794a340b24daae7f8d3594c50c9d9aed86eb3dafb1f57fc0d9bfddec76692066944886c9bb5398c9723c8ff93bb9dc7d3497b81528fffe0
-
Filesize
1KB
MD5c9081736789bba9f36bc0a09cbadcd95
SHA107753e36dab72313119cff64959428ff54a7fea0
SHA256f1f4e4fc53ac181d2500b5c8a3fe5211006a91aa0be8b48392d98effd290c3c9
SHA512825d6381f193d595b4de1ea17dd82635ac617125778b7ff235ca12fa65e089ac07f56593daed796982c58c9865ed4c59efb9f9a27baf07fd4de780fee0fad9fe
-
Filesize
1KB
MD507789b471a116b1e83ae56f49f1f99ae
SHA1b5bedb1b42c5aa101bca7041b84bf397caae4c07
SHA2567918ea4b88d77094b9f48fcb3f51ae0d68fe9481466c8c5b4357e48832ff95ef
SHA51269667e9f3b7e716118dc9dbd6fae84e66042c17659f2f02b6672b0939a2a5b8dad19c9656d6b7087837350958cb485fd138f47a28311b8e32577b7a6a5078c35
-
Filesize
2KB
MD53360b6a136f0716aa6c0e7d1ec648d86
SHA1c68f97b4fc6c60d969b0b9c15cfcb25b38059703
SHA256593d56bbed4efdf035493b6f91c116609dbe3cf5094ae9fce3afcc46c8f41e9d
SHA5122150ecd4f2eb60c575b1d408349913d7bf466dba1a7fe3d42ffb13eede0f8e756c98908c07f1447bec33f0c49e3a40abeebca0a9445bc2edac9ec1343a3454bb
-
Filesize
6KB
MD51771151ad7d15e3f952bf3e0931f63af
SHA1d32f07aec5ee88bb45ab2239d15fcbb4677bb698
SHA256e375f799e100462f8b122939acb0c30dca063dd20ed938a0c3e222ce89c2a9fc
SHA5122d5965244b2ea37cb06cb165eb4d4e2dc54f82b0f3b96ccbae43839ea7f167676d5a9e9154880e539de674f64c6e67cfa119103e5232dc0cff70bd91c994d81e
-
Filesize
3KB
MD5005c6c0777e36ce5a6b8d3fca585480b
SHA172641c9685937183e4194db84ae173b2f7bdccc0
SHA2567cc462ff057cbae749eb84974b005742544a61fd70b8a2c95631fcf36bf0d77f
SHA5128eafb4a2f5c60b212af4918344ce666946147dfa17d40e7127df85d965fab5b99cefcb2f6d65bc867d9fac60b9a6bf099d39dfd2f12808a34e176000c6a7e5ab
-
Filesize
2KB
MD5d6d09d9bf821d8a4f6e6c23760016940
SHA1ed62aed9a665114a78269e74bf9ef4ebaf7d4603
SHA25681e67f9a0a99862c5bf0beb45a8d458ec2e45935c7269f2a02461c5a6ffb7b9d
SHA512615466de315c8adcf646918228286e6550589246f703d826770a42416f5adf5173d4894fb748aa8b4ae84cdc5e0a653559a0ec4083ebdfa0e4d4c5d66004b03a
-
Filesize
12KB
MD576cd096bb8257e82319989abd55bc7e4
SHA19286b8ee6260beb6971e5b5cce5611914e7cfa6f
SHA25652e2cc75975f47ecbca308ef885a63e791560d702fb49a4d9e5f4d64639740ec
SHA512ed259d419333ee1b7933cf5444ac74f7f4bc53938675345776f8f817f72c8c753b7d53c415f78e5863088126af29b8febd8d992a37024b0110da8cbc80e89cb2
-
Filesize
6KB
MD54ae1bd07322d535c97845876d1fac31a
SHA16b4af5e52b8416e3671fcdb4d7e5444752337c79
SHA256a3d1f46fb0e0aa0da6d6ce3cc8372223343eef225afd9381ab37147163d294bb
SHA5123e41655a56c6f3dca5cfff7d880fd174de92c9933bfb4be682d06883b119cb23c8fb95fb147177945d8c019ef22936bfd7f0ec56716d30e899d1994697b870b0
-
Filesize
15KB
MD5dda863610786a8f7fd7315dae316e759
SHA14968b6f946eca89428e5a1ccaff5a3dea8668f2b
SHA256052f6059f968d22e165e89b645a274a35579f31fbd7af2d683d1f596103f65e6
SHA512f902d8274a87962dd58c28ffa6d08f765b12949e73418b0c97f7228af229bad533422f20e934336df907203610a4f6340b16e7849b74d8f5ea211b0078206822
-
Filesize
15KB
MD51309804261bfdbdc0181ce6c77bc83ed
SHA10ba009bbda4706165af81cd2372cef28bd2ee795
SHA2567e0d7ed96413d37cd05c867ce08f2c1df78b8a182d511e9296a9475b815dd1d1
SHA512e73164cb4347eb275fdfd997a385dea1c92ac444d58936be694c6e62b72ff07c2772b1fc8200932a88315bf96342ad6b17d50601ef2bde93820f0eb30597b0a7
-
Filesize
1.7MB
MD517bd13edd536269c417ba8e1b4534fbe
SHA122470bb3a4c37a0c612ff7ad2596306065ac0c9b
SHA2566111a70da65153e6ded71eae2057bf6760f340476261f6e15a80479daf9724eb
SHA51200d8c80dcfdda235d06160b40d06e47bd0be5178c5fb2b26bf4cd984eae520d877517a16d1a62d88ed1f0a46244eafd4cc4b4183a35f85d13b250e492d441455
-
Filesize
776KB
MD5585c5000d1a851b295ff295389d7aa1a
SHA1191f4e93781aba9bf81565cece0046ee599c0633
SHA25615fccf8c018bbbed14664d5a5528cdf087b9032543be2169d78ab25d141d2b2c
SHA5120ba2bbe8ca98e650d6f683f5700b44c11d30e3a5ef4b323a3a2aaa35f466401d808423cad4d497080c4bc9ec080e9a4f156ede3d651d3a718abe2307bc09a6b4
-
Filesize
4KB
MD5720bfbbf61bc2c61943eeb3926f1723a
SHA1badf39429f1c2d7cdc666ddf3e68ceb0cbde3f17
SHA256a4edcfd5f74098e0167264af178d6cad606716d0b22b1a484618561a1f03c97e
SHA51298b476aa24c29793849455f8e8d322f2c81d876b53ca4c44e400a1350477082d49f7005c83493ca8be8c5ad69d2e2cecf938c0061e89ee9cefb364c55df9b143
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
152KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
136KB