Analysis Overview
SHA256
30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966
Threat Level: Known bad
The file Ultimate Tweaks.exe was found to be: Known bad.
Malicious Activity Summary
Zloader family
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Browser Information Discovery
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-22 11:27
Signatures
Zloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
204s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3148 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3148 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3148 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
203s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2924 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2924 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2348 -ip 2348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
282s
Max time network
303s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7b6546f8,0x7ffa7b654708,0x7ffa7b654718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,8169727178259053959,10764571753691544226,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5584 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 27304926d60324abe74d7a4b571c35ea |
| SHA1 | 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1 |
| SHA256 | 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de |
| SHA512 | f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd |
\??\pipe\LOCAL\crashpad_2020_INDYGAODBMJMTSUO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9e3fc58a8fb86c93d19e1500b873ef6f |
| SHA1 | c6aae5f4e26f5570db5e14bba8d5061867a33b56 |
| SHA256 | 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4 |
| SHA512 | e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 121ba18167918b23a4d311fb6c649e57 |
| SHA1 | 30f270051d8258eee35b9d384cf7d0897fbbdb9c |
| SHA256 | 44b83755645c920eee381d053c3df2de5cf43232a85cecc2933a3dc34ba39a26 |
| SHA512 | e9949a31c9ea305ddb21131b867521a147686967fbd4ee2f2dea46ebb24ec25c997fb86d13faa4cece58e23b2348c1c9e7dd580c256905e6a3cbbef50a1fa26b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d26cc6cc9baf3ba0a6c7070b5830e10e |
| SHA1 | cd8b53ee63fc607afa7c3c7896931c41cf76481b |
| SHA256 | 54f89128ae5fd89c4aaf7cd7d9859d53efdbe7285753ea3815f8cfc7f07c2579 |
| SHA512 | 2edb0a35ca2ac0673b9dd757fbb9fa524db93451b5c5840bb8bf7d28df5017605fbf8f5221250e9fe8ecd8b089cee83860a6ae22b687306dac251c7320d550ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b8575ca08d0177ef47fa185743f17b74 |
| SHA1 | a46ca7471e51443e10cfc765a2388e0885f93463 |
| SHA256 | b28c53a67e9dbcf4b66d716e0b12a44aa941433bbd27478171cd06e25bbceaf6 |
| SHA512 | 533a5dad7570ea0d65ef3d8799194208d0635b744d045a84c1a9089275e73ad29b4cdc2a0fb6ae8bad44a818fdeb2e0e363b89a8a12c229177e1db81e3859392 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
Analysis: behavioral8
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
300s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240910-en
Max time kernel
147s
Max time network
195s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
302s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2936 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2936 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2936 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 804 -ip 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
234s
Max time network
294s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3960 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3960 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3960 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1976 -ip 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1904,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
299s
Max time network
300s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe"
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1736 --field-trial-handle=1740,i,12408626244169980741,16800819234746302788,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2172 --field-trial-handle=1740,i,12408626244169980741,16800819234746302788,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2360 --field-trial-handle=1740,i,12408626244169980741,16800819234746302788,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMftZoneReservation" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMftZoneReservation" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisable8dot3NameCreation" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisable8dot3NameCreation" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "Max Cached Icons" /t REG_SZ /d "2000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "Max Cached Icons" /t REG_SZ /d "2000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL" /v "Default" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL" /v "Default" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964c" /v "ValueMax" /t REG_DWORD /d "100" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964c" /v "ValueMax" /t REG_DWORD /d "100" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964c\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ValueMax" /t REG_DWORD /d "100" /f"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\893dee8e-2bef-41e0-89c6-b55d0929964c\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ValueMax" /t REG_DWORD /d "100" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "VsyncIdleTimeout" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMftZoneReservation" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMftZoneReservation" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisable8dot3NameCreation" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisable8dot3NameCreation" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NTFSDisableLastAccessUpdate" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "ContigFileAllocSize" /t REG_DWORD /d "64" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "5000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "4000" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_SZ /d "150000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "16" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f"
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3396 --field-trial-handle=1740,i,12408626244169980741,16800819234746302788,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "High" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "Max Cached Icons" /t REG_SZ /d "2000" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "Max Cached Icons" /t REG_SZ /d "2000" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL" /v "Default" /t REG_DWORD /d "1" /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:443 | dns.google | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\nsDialogs.dll
| MD5 | 466179e1c8ee8a1ff5e4427dbb6c4a01 |
| SHA1 | eb607467009074278e4bd50c7eab400e95ae48f7 |
| SHA256 | 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172 |
| SHA512 | 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\chrome_100_percent.pak
| MD5 | b1bccf31fa5710207026d373edd96161 |
| SHA1 | ae7bb0c083aea838df1d78d61b54fb76c9a1182e |
| SHA256 | 49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3 |
| SHA512 | 134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\chrome_200_percent.pak
| MD5 | e02160c24b8077b36ff06dc05a9df057 |
| SHA1 | fc722e071ce9caf52ad9a463c90fc2319aa6c790 |
| SHA256 | 4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106 |
| SHA512 | 1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\ffmpeg.dll
| MD5 | bf09deeeb497aeddaf6194e695776b8b |
| SHA1 | e7d8719d6d0664b8746581b88eb03a486f588844 |
| SHA256 | 450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080 |
| SHA512 | 38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\icudtl.dat
| MD5 | e0f1ad85c0933ecce2e003a2c59ae726 |
| SHA1 | a8539fc5a233558edfa264a34f7af6187c3f0d4f |
| SHA256 | f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb |
| SHA512 | 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\libEGL.dll
| MD5 | 3a5cbf0ce848ec30a2f8fe1760564515 |
| SHA1 | 31bf9312cd1beaedaa91766e5cde13406d6ea219 |
| SHA256 | afef052c621f72ba986d917a9e090d23a13f4ab6bc09f158eeb73fd671b94219 |
| SHA512 | bd5713e1d22145b4cc52f4e46b464f443aad6f783a5793268e7d9dca969f27b70e706eecd54cb01be1c94256e6a95864c6b7e50027cef7fa870cdb16820ad602 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\resources.pak
| MD5 | 67bb5e75ceb8ced4c98cf0454933cb45 |
| SHA1 | c2b1c8c8d753318bc5ec18762c27512a5eb9f9cd |
| SHA256 | 5d63acd4034f7771ca346d138d7478014abf1f3f4386d07fc025dbc2c2bc0bff |
| SHA512 | fd213d59ebc625f6f8b20cc8fde1a22132ce827b81deaddb9ca7993fe0d9616de17e089def338d23c4b6bbd7d3a931ee73aa329325eaa17f8145a58fe11d8c38 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\LICENSES.chromium.html
| MD5 | bd0ced1bc275f592b03bafac4b301a93 |
| SHA1 | 68776b7d9139588c71fbc51fe15243c9835acb67 |
| SHA256 | ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b |
| SHA512 | 5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\libGLESv2.dll
| MD5 | c783045e4b7f00c847678d43a77367f7 |
| SHA1 | 7f9192ce0b23ac93561aeec9d9c38daa3136c146 |
| SHA256 | 3a39137dcee6cb6663ae9cca424b6b05cf56c0ad7e32fb72cb94549ea9dbcae8 |
| SHA512 | 64e6d4fc84f1217ceef05a22ad63a6618ffdc470b1faf4ad9e2d7bab59e9285527b9c5fd7ea4be673a08b9466434e3c098e839bf6955597e3d8aa0e80589f4a3 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\snapshot_blob.bin
| MD5 | cadef56f5fb216b1fbf7ada1f894ea6d |
| SHA1 | 373d2a4266be5c8fbf61d4363ec47ddeb2d79253 |
| SHA256 | 0976145cc8c02f3e64ddbf51dc983bdbb456be7fcf3ce54608e218981671ac12 |
| SHA512 | 9c90e8943f9ef6d644fe0fbe55ab25ed371739d17da8cf973893a2e41ebfa0a92bcf1761e72da032f9f3d1c6f1080c62f856aa07a3cbb609c9e8c186f92216b6 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 81870fb2f641c8b845e9c6d1a632f0b7 |
| SHA1 | fcd47d8d1232c189a1c4087bb03a015ce14c25ba |
| SHA256 | 875515af4e7254458c17a98bed087fc609d45fbc8ebf60663e112c37204f6840 |
| SHA512 | 7748c8fb6f356aa45023a56245c43c5171d0413617fb1ac6c75650be75bbe94bd5528e9aa83cd9df9a08af65540a76ab59bc866e5dcf0fa7284122f290bd45d3 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\vk_swiftshader.dll
| MD5 | 0a071201e4dd76996e273c81533bfa74 |
| SHA1 | 5c92c634027692c344a8e74eab8b4d5c3e049497 |
| SHA256 | 08e34bc25653f9357a4ccf62966d698b7cc6265dc668046a28403ae5786132ee |
| SHA512 | b5de6548c5c743b6f119183fa06aaf67dcd4cdbc3542378ff87916b670ace1e2f4270f6dcaa4caabd01460c638bd02b565267e7bd9617ca92d72187d374bb7d6 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\vulkan-1.dll
| MD5 | a6588e66186ccf486eede8e9223f0d41 |
| SHA1 | 777a5c4028c7675ee1fc4e265a825b35d5099577 |
| SHA256 | 419488597ea255ec61f028aeecd36572d072dfe49b7ab716cd2c0a8e186f24e6 |
| SHA512 | ba8b9577f47ac5b9503aab8d4cca6059c7208bf0eb37999f4fbef0c2cf03032a9359559a0221f332c6cd66c38366fb0e1f1d32173f282afd639fabea8fc9400e |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\af.pak
| MD5 | 9554e414159d76754147d7e185056094 |
| SHA1 | e0fb0c95cef8e8d1ebeb11a6e2ea03b9067d799e |
| SHA256 | f402c0d8494c9a2fceedcd7845ddf43b62e7d01ddb1d9c8e132efea83b724824 |
| SHA512 | 9e8b41f69605d7bd426243e49b0f22347b211f7d13038ee6350d86d06cc7274bb2ef1918e27548802a5437903a653d86fce85338fa97f8c9642c0e74ed59ae88 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\am.pak
| MD5 | 92ffe73f193d41c5a90303955b2da67f |
| SHA1 | 1d4136d8bb752da2834ebf0f4f62de56efefd78f |
| SHA256 | 325dd137903fc0d9e5010a62a314d9c6984ff82afbdff2254f7c48bd03dda06a |
| SHA512 | 6c4f0aac10276ab84ec4e63ec9ad0e20a1b3ce9d2368ec966cc6471600c3d28df8f9e501b4843bafa5bcf2aab57242559ba430d58853180ea653afbc8f468e67 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\bg.pak
| MD5 | c80a2008d9f61c182430a728a6e059af |
| SHA1 | 2f2aa33573156d9939e3fc81f8d81de4aac21e61 |
| SHA256 | 5947f567ce1f4ab945dc6dab1599422d412f4417b9097905150d669122e43f7d |
| SHA512 | 016ce835b6bac4d5b38d72c0b3adf4d6b4e0ac04677d70c53e5938acd28b12220d2878bca7875471d008b779ea6ab4972a9875b44304e867d0bb5e4318c0edc3 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ar.pak
| MD5 | 7608398c66cd0b55396f7250b3c8747c |
| SHA1 | 7e8417dfc7055fb9ecbe7cfc97a8aba0bd5a0e13 |
| SHA256 | 3bb407fa588fb801ab241e8dda018461b54010a38648c3acc1e3550c0dfbd75a |
| SHA512 | 5dd757e4f114782eab9ab8cadbfe3179ded594285b3d0f7f6fa5ca50d80d866e7c8ff6a1f44deba8bdf09c04106de635c1da22597c008023b1fdf1cc747b6f1c |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\bn.pak
| MD5 | d179d38e8b9f7e60a943e2fc9f9471ad |
| SHA1 | 8d109081959d194c82b89fb25a514a65233435a7 |
| SHA256 | a45279ccc13390e0d93cfe1e33a7f276a5d9e97f6aefa6b6e14ecc4289703bda |
| SHA512 | fa6f3e45f40e1e48f191e4a65f5d15dabd7058af4537eea3e34998dc67dd250b00e52d1f07b10a73a67a15aada4523e50f40160d98a5f37ef4684a30ff338468 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ca.pak
| MD5 | bd846046383d64073da6eb192f5cddb1 |
| SHA1 | 6dd4bfb982101ecafc14eb35834caa1fe5b1e3f5 |
| SHA256 | 1dca9a7fcd850aecd48288999b436ff7e70cd4a96f47b40319759a800fb8eefa |
| SHA512 | 521ddf6e8fb444b911212501825392562af14cfb5b31a80707fdeffb13c8afb04852b0e3f7e3363a1c3a37c5c35bb1cbe84b458e14e30b5e8d8cb00a6a349ce0 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\cs.pak
| MD5 | 926b4d7f540ce0b1912e5fb6383dabb7 |
| SHA1 | a7adbc83ef38092a90d964d61359a6caa1253090 |
| SHA256 | 2964edcdcb27b2edf73515615501d8af28ad94b5dd31d2794f2624808c74de38 |
| SHA512 | bf6160e46eebf16d6b6f05d330068fa226118457ff03277b59ed4e1a6d2d28b212155cae2f48c34adfa81d20ff71e4206f25052257559f4768323b342dd16278 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\da.pak
| MD5 | c54edb2260d2b907049cdd4772d5313b |
| SHA1 | a12f623e6310b667a9c38b4c9143920d08564377 |
| SHA256 | 318a9ec9e9fbe35d5d8cb9b719ecfbe1ecba9d8f246876c949c082107b439ddb |
| SHA512 | 4eef045080fecaf55bf2cca7d72d039b7d7a7b28021b649becee320a3a8c0753f4e0e5f869a188813e746bad05fd08c726b5c25f40ef9555967fafd93f7f6989 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\el.pak
| MD5 | 35ba1b364ecfff6486daed2a33cc6431 |
| SHA1 | b894b392d400fde4d35bc3b4edc130853cda340b |
| SHA256 | c0434492be64b08f9ad00bc7cff65314822406dfb0c591fea0df6af9b6fc89c5 |
| SHA512 | 5f5d2cf1d5c8158c62fe310338bfb1c9683ea2f43726c9f02fe6d2c29482e3211fd3d61a30dc0cf738549dc7047dfce0dbac36b9d22dfffb558f118fdbb3d856 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\es-419.pak
| MD5 | 763f8c8ce092a3d64bbebddf4169e108 |
| SHA1 | 89f2834c1b4e3f84870af29650bda6fe360350f5 |
| SHA256 | 0c816f00b15d59809d30b6611aa455ea1bf8b022d2f887137f1c9d7a5600d5d9 |
| SHA512 | 8401cec52e80a5136543473b317f0e2d920008c83b9667605cd0deb9fa5f933deeda0aa475b436520001c6a7c91118a4d9b11e28a9f4b31271662780e678dc06 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\fi.pak
| MD5 | 3acdfec7edd4d3eb473f0deb32713c14 |
| SHA1 | 41fdd4af5f9fa78f4f81d3996ecafd69587f05ef |
| SHA256 | 4bf099ac8a76449bf597caf005790f5c02efd533b9a329c5fdc460d38f77607e |
| SHA512 | b167caf1e5ff38b0c80f891715866a7754e9bf3f1479aa1faa3cf3e8ae7fe9b71a87109239750f71855330b6d20704b43e814f188672aa52a5dc6912297f1997 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\id.pak
| MD5 | 260d34aaada70c9d491bfbedcf5ca8d1 |
| SHA1 | 5fa83a3e53e6aa9eede9fa34a84eb55ee8493314 |
| SHA256 | 64a8a25717ffae1855114d84b02223ad5b3963c1c6a21c826636146726d0a8a2 |
| SHA512 | a19ec6fae22689a8f851c1a782eb748ee9f38dfad89f05291c01a6070b24a8a02fac4bb4a441421f411966e8bc08e996900871d498efa307ac1793191710ebd2 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\mr.pak
| MD5 | fcaca3a4264563461b42b16d8fde4b02 |
| SHA1 | af37d4e73588d4a6d3d52f2dba67414393c9b168 |
| SHA256 | 362df1aa112a0a521617c0496087b3547a242eb79a5416b8414c5798f31e187d |
| SHA512 | 9114dc4e7da2affdcee5c86b1f1f78e47279c31d0f76c8deb1eac545e0268b9592463bbe1a4b433ff4fcab1ad4a596655b775608515bf7455fda550d3bf47b8a |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ml.pak
| MD5 | 70c0c80fdfc006be0ff502e0e6115b2b |
| SHA1 | 43f96be4652ecbd22677b18ffe2260b79bcca19c |
| SHA256 | 878e268428ec7aa51105c921740931c545d4ba6a274b367c52675c90741d23bf |
| SHA512 | c463c5d91b3cae6b2c70ef6b7e3758bacecbe76088d813e2632bde7939c1fb28bad3cccf914a14861b8611a490ea74ef2d8d10e7336b203d12cee9904e8f9423 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\lv.pak
| MD5 | 07405dc51eddde72e367737c093c20db |
| SHA1 | c66b8eccf167060c43b3c53631fc0c95b3afe05d |
| SHA256 | dbc860a35ad08e4f502b8784ca1548110d3c7334478f6c392db42f52cb3074f2 |
| SHA512 | 98f276fc137d6592cdbc1c804dd59983e290409bf7908137627ab114ab485e332f568d28c60a35d1dcb3d9753c2d1740065c654396af5f56f0dd5e1dfcffcf71 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\sv.pak
| MD5 | eb39645ebed4f980ab12585feae2f4b5 |
| SHA1 | fc7c471b93f59bef13f7bb4669e683385a8b9dec |
| SHA256 | ca34ee1c147358b5e32b5829acc0c355708925dc8df91c21d8e495c7485fa5c7 |
| SHA512 | 5fb25d7dfca3483967a5262d2c62b5d37a192f5a7a19dcf6722a9a8753e299e567bf7f26171859c374c8d035bb521fb4eddc4821aebf9ceea1253c63e1595c60 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\zh-TW.pak
| MD5 | 337bba163068f2dd7ff107ea929c8473 |
| SHA1 | 536ec5756f229696dd6f875180778afcee1966fb |
| SHA256 | 58753d4313ed7f548df16a9cd9aa1f0e30cebee675a76b8359ed23fc95825574 |
| SHA512 | 000b98249d7b0e4c7e463bafdf827e3dc5afac447750320d6344c984f4ad41cab5795861920525f03dcaeea5aa3615684101b08bbc103d3ba01065676c8bd64f |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\resources\app.asar
| MD5 | 8bcbb3a116b0035d6a5621f6ce6d4ba9 |
| SHA1 | 0f974db0d87af4aff602a410e7f09e6821f30ce7 |
| SHA256 | f975415a103c1faa4c7aac4f31868c0e408a24615bcac355e3f7640046df995c |
| SHA512 | 463fbc355f8fb4268417acc0e82d7774894fb076fdce5f6e3b59a7353f8af369e4215cc3722b34cb1936ca849173912d05e2cfb01a3146b1467239dd2a424c8c |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\resources\app-update.yml
| MD5 | b0e31c54422860c9390a2e456d8f4624 |
| SHA1 | 1b73cc7e00cbcae94a3ed921fbd055a393dedc0c |
| SHA256 | 897dac554968a2c49044a5e601cfcaf7c24d41599a58c03e91c62bd664b60ecf |
| SHA512 | 561cff0a281e073b0b2e3bc139a18b44ee1e2ab147d99ff007d5deae48c0c4c847bee4e14ad2e36abb27f7d9240f95aee7fcc9987246c717ba48666f550cc121 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\zh-CN.pak
| MD5 | 156894db535f0fbe193d66c0afb4b112 |
| SHA1 | e347caa3c41ea7461c217c029dbca54567fbe27c |
| SHA256 | cc5a411d3bf0ddfba9e5041dfeeaed70265ba949f7b7ccba0170b88e3e14ceb0 |
| SHA512 | e81a0968598536e91c17a1998682cb5fff42bd3199c41b64e2d76827c96b187e8f86182843c061735dad2b7cd5e32750e473c1a5f9c82bcc0dcc30f1bdb8b806 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\vi.pak
| MD5 | 593d33203c539d027c5b5bcc13bb38c9 |
| SHA1 | 2f6288bc43ddf31e49a733af97e3e9e2fb8a2940 |
| SHA256 | d435c4c7154c24982185842a09cacd343cea77a5eb7fb859c4d38973cf240a42 |
| SHA512 | 7c41c74f7220270da242562b93db8db053c0a7b08fdc1864d063706caccbc6926f288ae6bff1de43af656af67fcf2d8ad57f53d791bbc47a3b29a6a0856a68e5 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ur.pak
| MD5 | 305d39b5de5a1935d786da4bfc736dc5 |
| SHA1 | 8dd952fea4dae937b9f87d229638cd22ca197a8c |
| SHA256 | b551a93a300ab78ee6da5087ea417584c4fd3941fbac99c84c9c58be2c88a7e8 |
| SHA512 | d75ef12a56c2dbde5c7a1967297270f7d717a366776f6b2a316784f033c71fcb9d25dabc857398e8459d8ac40aae1bae59e82f551e00e9b96bfbea00a54fcde5 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\uk.pak
| MD5 | 7f8d31b43f7319164bc0f6453bbaf007 |
| SHA1 | 4be254da0ccb13040489403cc2d8015f448292da |
| SHA256 | e33b1a611feca93d105dee7c867521b5fbf27da38532ea3ca0aec61bec7f6108 |
| SHA512 | 9569bd24aa5d2f9b0a13784f5f3d98e636f72177c7ff7a14c7d390f1d5f0b39ffab512276f70e4d2df0d37fba94a2c2322a840ba303a4cde33ccb20f7980395f |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\tr.pak
| MD5 | 4727af70df9094888ba46f3a62eff264 |
| SHA1 | d2ead301efab607d040c69c238a06d3b4d080717 |
| SHA256 | 026fc65ed90fe356ce2b5e2b459a4487512d89e48f0ff8b044d6739ef51c1658 |
| SHA512 | 5bb8dd6ad100581a7e0cb87b57e054ab23551c263144f7ffebf729b2280a1bd95e92eba9c64b80e2f77ce59c3c4315ba2b5253ac83dbb540828e7a59a70e74ac |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\th.pak
| MD5 | 7512a162ea0b65dd9477ac8c190136b9 |
| SHA1 | ae5fbce9516882a0d58da9ebee3c767c7ba4c305 |
| SHA256 | d01ecd4edecf1809d5c2133366df2502a4621e88d894817e80b913f3a0926fa4 |
| SHA512 | 425fd803cd3ed9589df5d04bb8ca4b62af0e573301d31c48a1a05bf3b707a0672e1a033965946223e5873a98eb3c9d52bcdcc1296a08cb4971d0b1b6d2e95eb7 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\te.pak
| MD5 | 1f20952c1a61fa6e42a7f055de8986ea |
| SHA1 | 301ec89ca80695865d884927c4c07c6777fb321e |
| SHA256 | caeba6c853a0ee12a802fb9f610a95c676071414c1d8407d18b05f2fe8ce6bb7 |
| SHA512 | c43f5316dff21cd08f86e0d3d7c407449cdc751ff466683dff9a51e3a07bda203e8e22064bf240726e6e389b661d6dc2bf5ed5dc42750539990379e513228d53 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ta.pak
| MD5 | 474a2016df48f886e91fb9fd331d9bf9 |
| SHA1 | 2548525143292d7d150f5014b44ef294ba7c4189 |
| SHA256 | 75638ac7fdb226c0840d5c2edf763bae35afa1f47e89199d9724ff46c003a2c2 |
| SHA512 | a4c2c2c046420c77948a0479cbd2be3aa11c1b347eb508d020231eece5cf0c2cba8d4f6a0e9f875dece4a16413157fd9e9f1cf09e1746335eb11e8f8590cd013 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\sw.pak
| MD5 | e2958cf2ab6cc74551c8360e6cc34333 |
| SHA1 | 806aa1129f228ee48744cfa55d061149b37522b0 |
| SHA256 | 51482431411be2d89bfc026b9acf9ce1a0fb971376468a47829a15392b47178a |
| SHA512 | 1f5f306b7233279800d18fa461f4c94ecad809b2bb7c292fce16abcac2e963f7567a86e43a3c950fc86bc73b4fef8451389fc57ac6750fe7546afad8ae00f589 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\sr.pak
| MD5 | 02bdb4d99bd466eed5fed3445560d52d |
| SHA1 | c24e1895145b3066840be0d349f5e866e46e2a39 |
| SHA256 | ac09005a83d4ac8f61855c7e301e48a753d2f3558a04cdb94f23b539e2086e54 |
| SHA512 | fac7bcefe31f41b6e37f215f271b33ab21dad281c1b0bdaf28769c99e31bccca625f213fcfd7c0047b3e2104a8f51b2ebc5fb374b32f58ae22c4130e315aee1e |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\sl.pak
| MD5 | 299acf51d74b95ae4272730c437763aa |
| SHA1 | 8a0ff73f37d830b6677e514371a5825631aa455d |
| SHA256 | 26e29cd70c4143d7e9fb65e86e02c9173997f2fc062633a5edb2b7df55942157 |
| SHA512 | d7d298a4eb476a3cd4411261058f6f9409d0dddb3756cdc1e27e64280efc8b84fe40afbd92c754d56f58ea333623b0481766320b5969f5dd71f0c2a93be8ff77 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\sk.pak
| MD5 | e9bb6352cdd0f1c2fdd543a48ba076fe |
| SHA1 | 50053620d7be5566bb3ee588feda1a4daa207672 |
| SHA256 | 441155d63257beaac9e2998afa1a9e65957286ed1cd9e0670072a63e24ff3f8b |
| SHA512 | c1f87c7976159c8ff3e28185adcabf93d47ace0dc9b95fbaa4d1e5ed9ea8257263276880486a4c17a68a5869e6ec640eaf81f5ae6c4481e351e73e7b4dd9dd9e |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ru.pak
| MD5 | a0072d84d1bcb2fa7bbe7ae4e06151ba |
| SHA1 | b9227c6cd4ff9f6db6a8edf694c444beccd369f6 |
| SHA256 | 8c169d6995d97feae8b8ec947be27697ca0ff731b593fff36163e4f31969a6fd |
| SHA512 | fad335e81a24427f2b0a2853733da94c9839139a7982796bf742eacba306ecd9998914bcac49b925d5bb18953091a4dcc62ea6a628fff125c086099cfd33e3b5 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ro.pak
| MD5 | 36f8327b36f2c6c003f864895968af2f |
| SHA1 | 248d88aa9fe46cbcd013ea7d7270f8483215c073 |
| SHA256 | 6343589863bdd2ae81ec9c33e335048fd8792d2c2e8872f91f7a325a1f0d97ac |
| SHA512 | bb03b5af3ddf676dadb35d5b94f40ae1c95cba2e7175c87d128c319e0055dd91f412883daace89fa33a17b9761f1cd7bccdf261b16ffadd6e10da594445c2c8d |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\pt-PT.pak
| MD5 | 4aa908b531adedb0ee795704ab72e248 |
| SHA1 | 2ea9f4a7e561e70b06b675b3fe35ccb0f2a12fca |
| SHA256 | 72ca754dcb34c54b72087ab7fd5a4a3fa03e09cd1ced906d99d6525c7a19ee9c |
| SHA512 | 7d4a1add737136acfc7ed7848b0ee54646d5c8aa3a54addd7cf0340ebf42b58f6ce2eff56a2ba94125475e7b64989d06fedfc8b1ee41ece63b18b1f95686ad08 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\pt-BR.pak
| MD5 | f18cae95b8bb6760d370b435235c5629 |
| SHA1 | eb62bc4249ea8e5688c67aa65bfa2b628fd5e1d8 |
| SHA256 | 952234ef1d2792204f4e65cc814e9fc6dc007610668ceffb980c74fc0167ba0b |
| SHA512 | 218e9e4e59c875fe7931f16e6df877f67b8466a5e8a5565a1cab0f091b40b0652eefcf205536f5f4b8697966aa201092c26249142dcd8b40e055529e23ef7819 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\pl.pak
| MD5 | ab94060826404cc09d5fed31f63cec05 |
| SHA1 | 20d1cea9d2e60b9bbd4fddb38a652856a3561008 |
| SHA256 | 03258ecf731487231cc7eab8f6cb96e92b7ede4cc5b63c3def6ba08e0f16da10 |
| SHA512 | a9ec28912bdd2b8b1e1b3fc4d5c76139253ee4ada8f0d562ecd611d7366b0cdc97c379c5ae93c9db69eb045d8834cd0e1e0ba84813ac0071b5a2bf6cea81173e |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\nl.pak
| MD5 | 9229e4ded3219c948747a4dc9a6a5e32 |
| SHA1 | 9147b2f2ac3837588aa3b71eb4a255d29cab0e74 |
| SHA256 | d88b02d74e01b9350d3ac9c48fe08333ca9c68e3e3824d64fae86c5b8b531feb |
| SHA512 | 8a81cefd9fa718b18de87555cb2d5c8e87ed14921fd3a0247b47988a1f3896d63b16dbf86fbf103097c73181473c37393c0f4e9e0a07d95d847aebcad526e8e8 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\nb.pak
| MD5 | c2c49ebaebc448cfeb7933ce2cbd6ca6 |
| SHA1 | c3efca0fee40a3daf7d69768d7659de60b3e2c4f |
| SHA256 | 67d997fff8a24eaa030eadede7f5345fff5e954e96bc8f36d399839bed998774 |
| SHA512 | c500bc1097ed9077742c5708bd55dc4215c45f751522131b8203d7ae802d278ffc3a9ef607325bbea5b650d594dde0d74e7fa4502e1a0f905534c32fa1521bba |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ms.pak
| MD5 | 578dcc1aef901d00a57f2698a6e15826 |
| SHA1 | 4dca370c3b22f9f54a62d31166a84848336a8fea |
| SHA256 | e5e77421c5fca5b1eaef96fbf33c345c63119015986163cb43d65075df6265d0 |
| SHA512 | 073aecedf4132faef7e896e6840bb6297e866a06fd65a7490f0a61179013f27b6592a4fb2be91cb5e139c77f6db7695bf60e5788154e51c9ab7889f6e7040a33 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\lt.pak
| MD5 | 93a0a8181e8c251a2375645a552293d6 |
| SHA1 | 57faf2e9f965a49d5294cf9759b9b50d87c2ad1d |
| SHA256 | f87b2baacdde69b2b24dc7859d47bad0844cf4d275072812aaf4eedb10318450 |
| SHA512 | 51e1ff74442cfd51fd2fe218755335ed99e4850c8266425b8d55aa0abde2712ab765ff909d6ee620268ade9d7b51a93be659d6a52143da2abf4ec309bbe9f2fc |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ko.pak
| MD5 | c21dde26f43530135ef37323b00dc1fd |
| SHA1 | a118e9713b155bd2999f04c3075f2e1bb05bffaa |
| SHA256 | ff88b56be0614232947bfb07e6beb88327a18ebec98cece17caa9b7cd8e6dd24 |
| SHA512 | 0db144f03992c41c3703719e985183a6ec988265e5a629d09bf683d9b208656d605565d6b5597cead909c814f25ce200739e65b1327172afe10d395a5018206c |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\kn.pak
| MD5 | a4cce1cfe646eb2c268493603dcb358b |
| SHA1 | aa19ee1cdf8776d07bf35614ff063aed5a798ef8 |
| SHA256 | 01250aec7310bb59e0e847382325f940ea2cdab00369c1c7efe2f340d01ff806 |
| SHA512 | cecb7794a288e879324e74e7522bee61a43072ab58a289b686f1d48d98fe9a0d29a5505b8c891fe411b823c3d8366d6c1cffbcc1deffa6c7d3a04339a769dbc7 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\ja.pak
| MD5 | d84e12cecf6e4355933ed68816f090f6 |
| SHA1 | eb35ef52f341442dd887d43a52af7f02926d5288 |
| SHA256 | 8de18410e38f4036367113bd4ed253a4957709d87e0aeb11134742bc89e16d62 |
| SHA512 | 9dbe703493acb7b48ee1dbc4458ce0b9d757419e3fbf01379bc8dcbd22cc30a99348f7cb96840c19e873d6d97bb4d1a3baa4fcd6e0d332480273020a6e13a375 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\it.pak
| MD5 | cfb2ddc4caafd038db00c1e7378d316e |
| SHA1 | 2573f32a41735efde916f0a73b415ca689c0dd36 |
| SHA256 | 9395bf9a547561df6cd20d8e076452369cb72184f215448d1acd802dccf3a47d |
| SHA512 | 8a02ca980a8de8af8b179d610ff25557f81f67bfb5a9f82511641ec87b378a2ab7214d5ec681797acba1a865bd726cb9c5f609647ae6ee71a393b7e16fc06f8e |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\hu.pak
| MD5 | f55e37076460b2e8b5ed0f414618d256 |
| SHA1 | b313287de6197f1bf9f9770e3d2c99e70c4d8179 |
| SHA256 | 61854ab102bc57a7ad7b85a4fa008c3f071306838ba1a0491f68c19153decd49 |
| SHA512 | e8121a064a3209878f24c33e9c20c810c56aa15476909de1ce076c80ef635e69a60ac655b7714a116951de5b99bb690827edafddcd5e6b00ee6310807d78ce58 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\hr.pak
| MD5 | 2f7462a076c14f2c2733a41dcc5ecf1b |
| SHA1 | c453dbf62d1cfe85adb64ae374b6a79cff2ef97f |
| SHA256 | 6dcc7d5d771475874471b78ee84db0230341f8634f4b38a9cb90c37226d70b00 |
| SHA512 | f1df750b779c908547a38b49bae0ed8734fe37cd96d3502186926e6cbd657c248c528cf9944353dfd26695ab384f17f22f0bec251e65a20906da4d67852cc516 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\hi.pak
| MD5 | 6d3ce5a6049eda31ecbc55a9d3abb163 |
| SHA1 | 100afed265c77a20f6636a0ab48c8a723e30b087 |
| SHA256 | 8dae029a489f1bd7530650a9cb1be1f03741e1d7018503feb3c78759da8af531 |
| SHA512 | 3668952ea707da9ee8fd3753c04d5dfbed97685b76dcc75dcf8d6a3699a832c3ff0db9cd40810f6ea9364f2b7aff4b1cd68980c74b59808fcb4900a36d933bba |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\he.pak
| MD5 | c47322869b458a1cd231f3dc385f80fb |
| SHA1 | 4155444dcb69c5b64711139cadb32a6df95ce3ae |
| SHA256 | 9e5544340da0e0aa28298e68765716a3960a28e50d86146b5324fd70fd756b41 |
| SHA512 | ca4664a9acbdd5896c6a0921e09d99f1a7ce3d7a80338c1a4310ad499a5a2cbb60ca074a02fcff128789da0a4cf82d3869f83836ae3ae3171085e58d6155fb73 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\gu.pak
| MD5 | ba34657d3f5ebe61b36a807c4a053d72 |
| SHA1 | 163875c4ef39e3473d9d5aec4b6273f34a90a02d |
| SHA256 | 8c762963cca8eef2cbd39bd7bcd8b809f3b57a75353e687743894add9c19440f |
| SHA512 | cb1c4adc59c3e99f819645ae84e3e6b601b340e05ae2182c0b1568bbbcd3eabf7bf09ef34e5d0757530997d0734dc52dd744b8b0edbb3702a3c06e29ba7f0c4e |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\fr.pak
| MD5 | 6708a286a0529ba7bed9840d53035be8 |
| SHA1 | af289ed518d9d90c75b69a870615e3f475c5d0e4 |
| SHA256 | 7169684ff44f342b98648839b8963916f7323115dead332c2471baed6264b80e |
| SHA512 | b329798fd85eac1505d0af5cb827ba11a5850eb926be39b414c40b5fdb56432db5f3dbc45237510bd4d1174c1cd62f623c6cc8ab10eb0ca51dea5d5487f0b0fd |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\fil.pak
| MD5 | 89a63085d14b1b80f259e166e6ffe56d |
| SHA1 | d1326c879a6ad203489226f7c5be08c897be71ac |
| SHA256 | 00b8cfe6131499a8a67a51dd8560a965a2abb863d52635dd3931df0479c3f5ee |
| SHA512 | ab48fc4bc604648b4cc010a530fbcc5138b9d0a0f09398d2a69b6219799a43a052722c47dba96c9d001b4f6ddd491683c0a871c19ac2abc12843e68f9d4c2cf4 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\fa.pak
| MD5 | 04f629bc5fa6d761f1d7b5dc28a6b97e |
| SHA1 | d80f74a2b6508bae49b8344809062b48dc2b2dc5 |
| SHA256 | 9b5334e4883a716c5616c859889aacd7b179b30ac65e5657198eb4e877700f81 |
| SHA512 | ea412096170ae29b33f3d54f17fb9f2f5a41035df56e2af9596ec7c15422277943c5c651df6b3a232aca4e979946732bec496da03b3e47e0d4629675751a4c67 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\et.pak
| MD5 | 97918bb7b36900705b1a53b7851db6b3 |
| SHA1 | f8cca656478c6e15baa8f344dda2704087f54776 |
| SHA256 | 8021814965878c4913d1f9f9d226da49cc2a37746d976f3b84aad7fe096fd14f |
| SHA512 | 6daa8f56c231cfd7dfc17bb5d5c56afca9490f953f22c92365a1f88e995c3a1705de98a725177001bb449070c860fd1c843ee0a499c6dd8321f2e6f4cf914da9 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\es.pak
| MD5 | f6f452e9fe45b56b489b2e99c99848d7 |
| SHA1 | c64384626ea966d3a24dfd4d6c2f42c1cc082d2f |
| SHA256 | 54f85551269c8b5f3985a09d313fdc04c4595e5058163cf147ede049b8faa605 |
| SHA512 | f3c50308531f9654ff394cbdfdcc6029c60dc6659fe60e0326b4855a31f3eedc86f3df82a96a9e7691d12c7a69079c4abe2722f599aae29f48b291fb5a39a3a1 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\en-US.pak
| MD5 | 731c45f9f23957acc11b43d775758aaa |
| SHA1 | 12e66417a2dc0c5211ed67f026208ef02fcb40af |
| SHA256 | 02b97817b6eebd7caeaaff750f6462abc68911c398ddf0571b7900ff9b4ea9a2 |
| SHA512 | 1a008df585ef76d9cf4459fc3e617b8d4397e7078c77852712fc7cf4f304081bc5195243437e64074016b05a8cd671db93666042e59b959595ba854ceb330a81 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\en-GB.pak
| MD5 | a44922cb4cd8816b9ce3d018dba9e6a0 |
| SHA1 | 2ed3a8bd4a11bb89d3699f583372ad7aecc46ddd |
| SHA256 | e0df967ffdf872f0a9589a0d74d68a742fa9b956add7a6736b82aebd9e8f02d3 |
| SHA512 | 461b04a170c562382f6c1022f881db9f6928a36c962a2e3aeabee62dd4c46e08b59ef33a2d1d26af21dcc47d00b0c51e10b43f14dcd627f84104ab4f31a9e526 |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\7z-out\locales\de.pak
| MD5 | 5a252c49719970b8fb33fbc8ec98971a |
| SHA1 | 931834866af36a9e25582a1f631a8cbc965a8e84 |
| SHA256 | d5746f48800efbff7db9d1bb8d6e5a5102eb7d79ae136e0485fd427be1ca63a1 |
| SHA512 | d4e6ab68d0b1a564b886c8bbe60e7bf67c3f71e6fc70ed5bfbb63a974f72afce62e03559f29f46a424908c256e990ff6cebeab8fddfbd79f6deca997cf7117cd |
C:\Users\Admin\AppData\Local\Temp\nss73FB.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/4228-829-0x000001757D5F0000-0x000001757D612000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgrpon0h.ha1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4824-848-0x000001AAD5B00000-0x000001AAD5B44000-memory.dmp
memory/4228-849-0x000001757DE70000-0x000001757DEE6000-memory.dmp
memory/4228-853-0x000001757DDF0000-0x000001757DE14000-memory.dmp
memory/4228-852-0x000001757DDF0000-0x000001757DE1A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 4e57c61b4eb232de920084c46dcd88f9 |
| SHA1 | c3f0fb061f04acec18edd92ca27aca4f3decdf0f |
| SHA256 | ece7e53565da2c637fa9f0e6c09d0b5bd7c7902760e00ed0ede138b9107e95ae |
| SHA512 | 8b73aa7cbf8e8dc96d21c74773d4ecdb19cccec9860e27758037917963217d4957154d2d4ddc61b361c5a87bb3d26a5cf11ebc0415b45bece418ea71fef7cd74 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5c3cc3c6ae2c1e0b92b502859ce79d0c |
| SHA1 | bde46d0f91ad780ce5cba924f8d9f4c175c5b83d |
| SHA256 | 5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2 |
| SHA512 | 269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5b4bc5bc4833beaf0dfb30d7ba455d07 |
| SHA1 | ab6897c66fcb225a8fc98ca9b82de36939c287de |
| SHA256 | 43a6058f564189a61011bdcd4ef4c06cddf7142031262611518cd3c70fca2f06 |
| SHA512 | 469f573884f55002c19378fa5467b2d23be5342c26f6f2dabef43bc1236b2bb3341f2930198862b1db7663154e4c0402e1fc9db853727815bee8338863e45a9b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 72fc907159ecac454e09e47f16c20822 |
| SHA1 | 62f8345cd59fa257c860b7d1b39dae8092f65180 |
| SHA256 | 66ecc9265dd3f96167ac24d95580efc7148d36ef260e2d09eb6416cb46d08b5f |
| SHA512 | 60f11f9185b6efb01d6700b8ba54ddb57811cc7ec2f72b59dd7900addd9e5ed35e62bd39541b5c742eafd9f6bb2583300cdf2a5d0825e83f274f0d6e7cee1931 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe5e26b0.TMP
| MD5 | d11dedf80b85d8d9be3fec6bb292f64b |
| SHA1 | aab8783454819cd66ddf7871e887abdba138aef3 |
| SHA256 | 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67 |
| SHA512 | 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences
| MD5 | 58127c59cb9e1da127904c341d15372b |
| SHA1 | 62445484661d8036ce9788baeaba31d204e9a5fc |
| SHA256 | be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de |
| SHA512 | 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5c6cc064492fb82bc5d584a01538a01b |
| SHA1 | 7baa97ed6643c4a554ec823e75995169d2e3bf36 |
| SHA256 | b09452617b78a5abf5cff0596c9fbada83faf3372e668ae4d29c231429ece43a |
| SHA512 | 91c7a909641e1a0088f384126bbd6cedd023cc611509ccca14ee351cbecf9decd31b8feabc92d3d957f6f3ee4571c45337ecc0a75c5d3586104cdf1ba9cbfad1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f8d148b1581a58881ca873464bfaddfd |
| SHA1 | 1935d147dbe2239ddecbea2a28ea2cd1ec3cd9ea |
| SHA256 | 261271ccbb531dbfb055ad395723ece1dd77656e7de2ab4cc7590fc5e69c0e56 |
| SHA512 | fde0e83bf1e437abe71ae1333441f374ee82e11abefa50cae5c01a809845d0420407a81f284cf16669333e15cca44bd1425fe7fc2b66b42e81e25f6eedd15c86 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log
| MD5 | 3fc3c09246d4eefbc985accaad18555b |
| SHA1 | 3bf371ebade4af12416a198ec4e115f8b79021fb |
| SHA256 | efa0735079c6a3973c9f24868daeea1a497b01949fb4f0928083ca91134feb6f |
| SHA512 | bd89587f7bd38ac25b09bf120e2604237c85f828919df0da0a049a9cfdc52ff4c78403e8463dfe244f8391eda9216e0e65994c52617349fee07ec7bb6a6e28dd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3361d556125e4cc22726201263af9452 |
| SHA1 | d1d72a334a6e7449b076da9dc1114eae482aeb9e |
| SHA256 | 29b7758fd819aa7ff9010b086041a3b8856dbbc4d8e9e8f6db9a5c2ad187647d |
| SHA512 | c63252ef840febabb8aca346447cedbe41ede95152c089026aedc3b324a3ef76ce78e51a3226e631d9813ae01cc182b74678bf148c41b6ec0e9ff0ae5932e62b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 29902249794c4a1a1a2c177a1395e144 |
| SHA1 | 7a1a916cb95f0415c392226ed09a1ed9543a4f41 |
| SHA256 | 80b6a735f7d75975a7ca5e99486f1ab2e8c5ac552332c4f1703b82ac705080e4 |
| SHA512 | c4b8b17b833fd259091ecc2ae92888fdbbcfc1a5b0558f090d3af7fbf860e88f0e362a3f91b3056594dc2965008822f1cce95cdfa1d73f9400d6c236dc18d157 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c6e26a24c54562484023ac502484f07b |
| SHA1 | 95a71df7036c62451c561f1f38fe2736ba538d39 |
| SHA256 | 79b738c26f32b2007a6c73c25445814497ab7b2758689a9b3ceaf068c62844dc |
| SHA512 | 2b5534b4b1d4e1cca64d19b1d9f64f94b3610e964e513b0fe5fa5c71e9084fcdeb9633405ecbc5f45f5f59fb02212c33f24ff9cf8db5598e05c614ee124ef41a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5f5da63d00b1eeeabc5210c63eba2169 |
| SHA1 | 2aaed5e8cba4b560649cdc348883620844058804 |
| SHA256 | 48dcefdd0dae1cbc05f5f05c6636294dd82ddf04e3f64b9d9f67e98b19e7fefa |
| SHA512 | fe933d857d86e9bb334512b3435f5bac5d063931c1904549d570b7453e01a26b3f361b63a3f025b4b750d97d261ea4f1c49c9328b53e855a5e2b2c66ddbbfe80 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c3caf500ff1810e97f8c202ddd0853ff |
| SHA1 | f8275a77ce886eee5add1ac26c071a39e8c1ccc9 |
| SHA256 | 1befc51dba7b6845105790c86dc3be751e12b1395db55870a8ee5405c719d9f5 |
| SHA512 | e79c97da2f522b42d3311550a35236dfe64db8c7095d41bf99e0c029a946f8d86e5728dc39f4df981e7d9226f3834f27166ae299b376980ce2afdf81982afb55 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 68cf5ad43fa0cec77a6ab1326c01487c |
| SHA1 | f3f70fede115d44af2b310b152cdb6cc7b91ad9b |
| SHA256 | 361e0535275c1749aeefe2e6706244fbc623ebe4ee5f7b0e7173df237733c094 |
| SHA512 | d6aac82784fd167c8c2d3cdda22fc1673eb153071ba6ff5d225f55ab973c02ca94fbfb4c5c7b439867246e9708f4167fe85f7c0fbb3bf6d2c96b24d33b9596b9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c14faa216f32b76647976289cfb13f66 |
| SHA1 | 1e6a3e7bcdb93fc75ed1a74609f7bd5daf5a7610 |
| SHA256 | bc657686980b9fa799d129573e763aa56e23ad95c1feed66df58ee403d2fed2f |
| SHA512 | 8c63d8fa8e6310990b215094ff6c5a4c9d336083d69fe33bd76ca8d9c9cb812976c9a9de53db14f335b56debca89ed94ec59ab3dfeba6290e03b6fed0a0258f8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 13b3678b7daf695a4e79b5c1dca218cd |
| SHA1 | 6bae8300bae6eb386b8de952174359c0dcfa598f |
| SHA256 | 77f8ae46038933576835f45d25a25764b9a89bef95784fabacf0c707235dea04 |
| SHA512 | dd233dc0106594194af0115013096c12920d020edb366b9aa42725ec1f6cb945f198a22d0da144e2dda72f208061afce4a63432064f503d46efe8c0272f556a3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 68a22ef494f451d326447ab0d47023a8 |
| SHA1 | 91997d74cea2a3ffb1ea4f18b8fdb9420bc22403 |
| SHA256 | 4328e322aeccbf8a10d4e7c17cb234047cc9441b8b8bbe20d9f732e81f9c8cfe |
| SHA512 | c958ac69559e3683e042672b5c102a510da6d5d9ba80366368908044616b7c2add37d80d181679486d2d7da753e810eee90662fa142bdcc4bbffaeeef146acb6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d852f802420b029ac54ef5782ccdf896 |
| SHA1 | a12078c882aa60132ce32b674599cdd6210e864f |
| SHA256 | f68d680670f3bce498507b38957521819adde204332dcaf9376d5eb687dced6d |
| SHA512 | 8abfbbbce88f1805155df77b3524f807676d7c2f3b726eb18540edd180d5541b3687ba486ce96cf78d890552b30888bc41e54d38686132d1b1e5d3661a806f7e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | dd5f39d92970d01d09e76603f90799f6 |
| SHA1 | fe6198d85a57886bf41303c7431e4d8ae33c1cdd |
| SHA256 | cc9448d99f5d7346c6dd40ddc3774527978688d325ea8185c2c65893c9cb03ed |
| SHA512 | 1f79d59a8e3fd5769f282045a34e51a0fcfc23764dcf8a706863e1de1676f15223c6855ea631c650b2a07f39f0fed6bbaae9f0d52ddbb8fa0fed0f43ab5622dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2cc4e67d9af911e5ea0641bec21b2ef5 |
| SHA1 | 00323f0bdeda0422d408fe3beba4d76c81584553 |
| SHA256 | 55a52a3fcca77a9d2c9230b42b94cb084fe05a298c7457b406064b87fa7f51fd |
| SHA512 | ef942a3cdd5a129ef44cbdfc4991ee48c325ccb62094ae7aa76485615c5b67afee602e20f81798c0b74738982238241630c5445162e50c8adb5e2fc6e3f340ad |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State
| MD5 | 2b76032a6b0193d41ec8403edbf4425c |
| SHA1 | 61653572c9a55d5d18089ec8a41293df71f4b52b |
| SHA256 | 027be2c00d817eaa2dbe8ff8edf28d33f672cd6551d0fe97a3abde6cc97e763f |
| SHA512 | 08ab002dac137e302d45323e58783ea0854a500af1717ba1f89e56e831d15b54532a6d26046310f8e1cb2004fbcf3a124f7954b0f033e1932b6946c08597f53f |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe5f1565.TMP
| MD5 | 78bfcecb05ed1904edce3b60cb5c7e62 |
| SHA1 | bf77a7461de9d41d12aa88fba056ba758793d9ce |
| SHA256 | c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572 |
| SHA512 | 2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73 |
memory/4292-1844-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1845-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1856-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1855-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1854-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1853-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1852-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1851-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1850-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
memory/4292-1846-0x000001AE2EAA0000-0x000001AE2EAA1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
203s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3492 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3492 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5080 -ip 5080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
89s
Max time network
189s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
204s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 3460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 3460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 3460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3460 -ip 3460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
302s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
205s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3240 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3240 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3240 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3848 -ip 3848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
293s
Max time network
305s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1716 --field-trial-handle=1728,i,11159637938587858117,12395133770294653531,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2144 --field-trial-handle=1728,i,11159637938587858117,12395133770294653531,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2428 --field-trial-handle=1728,i,11159637938587858117,12395133770294653531,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe
C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe --updated /S --force-run
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --updated
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1688 --field-trial-handle=1700,i,3063148122429845556,3380216858735278724,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2176 --field-trial-handle=1700,i,3063148122429845556,3380216858735278724,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2440 --field-trial-handle=1700,i,3063148122429845556,3380216858735278724,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3388 --field-trial-handle=1700,i,3063148122429845556,3380216858735278724,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3452 --field-trial-handle=1700,i,3063148122429845556,3380216858735278724,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3592 --field-trial-handle=1700,i,3063148122429845556,3380216858735278724,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3084 --field-trial-handle=1700,i,3063148122429845556,3380216858735278724,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 226.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | udp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| SE | 142.250.74.65:443 | tcp | |
| SE | 142.250.74.65:443 | udp | |
| SE | 142.250.74.132:443 | udp | |
| SE | 142.250.74.132:443 | tcp | |
| US | 8.8.8.8:53 | 65.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vt2idh1f.cpt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3276-77-0x000001F3CF910000-0x000001F3CF932000-memory.dmp
memory/4420-87-0x00000173C69D0000-0x00000173C6A14000-memory.dmp
memory/4420-88-0x00000173C6AA0000-0x00000173C6B16000-memory.dmp
memory/3276-91-0x000001F3EA080000-0x000001F3EA0AA000-memory.dmp
memory/3276-92-0x000001F3EA080000-0x000001F3EA0A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 28c65370f12e84b734af87ad491ea257 |
| SHA1 | 402d3a8203115f1365d48fa72daf0a56e14d8a08 |
| SHA256 | 4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c |
| SHA512 | 56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5c3cc3c6ae2c1e0b92b502859ce79d0c |
| SHA1 | bde46d0f91ad780ce5cba924f8d9f4c175c5b83d |
| SHA256 | 5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2 |
| SHA512 | 269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences
| MD5 | 58127c59cb9e1da127904c341d15372b |
| SHA1 | 62445484661d8036ce9788baeaba31d204e9a5fc |
| SHA256 | be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de |
| SHA512 | 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57f443.TMP
| MD5 | d11dedf80b85d8d9be3fec6bb292f64b |
| SHA1 | aab8783454819cd66ddf7871e887abdba138aef3 |
| SHA256 | 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67 |
| SHA512 | 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cb65f7ebff3b23554ba4b403359c1efa |
| SHA1 | f73ed0798ddd77211a99c8b575f494459ae13219 |
| SHA256 | c38b9edb274555b62d638a07dbfca803e5e460ee66e2f79ad5dd7f800bde0676 |
| SHA512 | d0bddb9f3a3db07ef1efcd5ac3385ab702cee5e98af637bcc02497da50902de736cc2c493083b89bff4fdbbca9296db52a27738574f33375f2af23e520c681e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c61874110b0d996d6d9b4859c3fe36ab |
| SHA1 | a0b6a66ed27a3a9d79e95ad9c595a99c25c655d7 |
| SHA256 | f1b6d6562e73ab7b29f55a4a14117b9bc3db309929610d7d354c65ece25bff6b |
| SHA512 | 3a7ea8b3a561fda690d6ee5113658d78ca88124b51020712bf2101b22472ff93df3ef53f7ea96fb1199a40d5885900009250054e1f036a692209445ad0c53e3f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 04d20eb33347c721c50e056c6b2975ee |
| SHA1 | ec6991936d6a56013339a0e60924fa4e43d88fdb |
| SHA256 | 143f9dc9dbc116c228abafe9d0f32b5b96e1aa8169c25139038698bb4a1d41b6 |
| SHA512 | 7d442a881a2d9c370034341b3dbeaec9dbb7f7df1da683e0475b71191bc2c3df743aa31b59e539e3670b3e22018dd2315a27f86c01017676a51df5c3837fb626 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ed581387989f574a6078ba3939ca4a65 |
| SHA1 | 4bb893bb6c2567fa829890493261386c0319d9c2 |
| SHA256 | 892f4e9733bf7a40d4eaf529e1f7063ccbcf64521541eb4daf6a666b4d611e26 |
| SHA512 | f45fbb26a399074d058f0cf7c70d95101c8f48fb5f192594a6051e36cd62dc669ea07e8ac1d2f87de25e19791ea8495a7f2b2ee15b4a1f54cd4628552b3ad91f |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log
| MD5 | a9ccce4d38c7939edaa22a1e949e63be |
| SHA1 | 65cdd7c5d1612338a839774b55de100339c632a1 |
| SHA256 | e314a07087372e8caebdab6b0ed2fc4597795d9d451ea06c6f3293f1d90cc612 |
| SHA512 | 3ae0ea4a09c0a8ce4941d53b4e5b75290e2a32c7bd3e6e7bb4ae048c772741bed0ac946be6f438d28d75be0f6ca37eec0f2c14a76df02b3201b04a8544f5eb26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a914e0727658d02956bd4ef849be7cb7 |
| SHA1 | 6d3bca6ba35562cde7e4ec9ff9b1c8dd1e9b9b00 |
| SHA256 | 7bd6854b533f8d4ffb7f7e017f6d6d5c9a9ffad01f13fe48861634f4011a242c |
| SHA512 | d681742d747f78db6e4de811c7035b2d8f4238554630b3f44b52d6545d87fb15ebe8ab736fc99e7a842f03dab8977ac902cce0dc13117b99343382bdd9ca26e5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9eb36cbb7b4ecdb5e54854a2c5ccf5b4 |
| SHA1 | 5b06ae8ba9715ad707bfa43db1ea652666ba8673 |
| SHA256 | b70053d569f514deec72bc202e97243128115ca32c054039f79fe83f396f9dc7 |
| SHA512 | 4af2764cf0ba70a04dda08bab5c16553659b8ecbe9d719c8e479f8868e2d32428aff14790ee1844bb002cde87c51f5df8a6aac9704dff48b7092151d04f4eb5d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 425a24c43b498671fd316650d6dfee8b |
| SHA1 | 8d05cf48692ca5f7752e1f5fca28e2fb759a48f9 |
| SHA256 | 13c444c0eaf9178e828a90e69ca6cf41982b225552b6b388c3e90006641703e9 |
| SHA512 | 71bb2128946fe868de9287b84f25af76f76c70e30744cddebb2199e95eb1be55dd781dba74b510f4091dc3effa40a8bfc50c66c025fab6800a1ef21a3104b788 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 93c4fc889b987ffaf1ad6a17d6b7b77a |
| SHA1 | 3cedf674faddef2d8e9eeaa5332127c6b806cfe3 |
| SHA256 | ef78a450efc38febef6b143bf8fb989f999a75e642ac74400b3bff48b1251810 |
| SHA512 | 264cdf8c87222f52eb9e5c8b9ba3e2591ca59b5cabe4bbfb7a6cb1d072eff3c03dc30c4d83fe87f5f6d44d7894723f0122f309a6673d7c05f8185732da777b68 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Session Storage\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State
| MD5 | 7ec7b54ceef7b22549f53683214f5ecf |
| SHA1 | 883c12c413cb8739ac1b02a709ee250e87b71782 |
| SHA256 | 227ee8bafedc40a3bd549cc0bb56c76e8b2c3bada15af368cfeb79c2d12e5ae2 |
| SHA512 | 1fa92162295cf495901871db15f464a711f34e1c7edff2d5be11138d9d40fff6e1002744b27e07cf48cd9789035efa55776a73055b0987874ea0d6d646e65463 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe5877ac.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\chrome_100_percent.pak
| MD5 | b1bccf31fa5710207026d373edd96161 |
| SHA1 | ae7bb0c083aea838df1d78d61b54fb76c9a1182e |
| SHA256 | 49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3 |
| SHA512 | 134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\ffmpeg.dll
| MD5 | bf09deeeb497aeddaf6194e695776b8b |
| SHA1 | e7d8719d6d0664b8746581b88eb03a486f588844 |
| SHA256 | 450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080 |
| SHA512 | 38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\chrome_200_percent.pak
| MD5 | e02160c24b8077b36ff06dc05a9df057 |
| SHA1 | fc722e071ce9caf52ad9a463c90fc2319aa6c790 |
| SHA256 | 4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106 |
| SHA512 | 1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e |
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\icudtl.dat
| MD5 | e0f1ad85c0933ecce2e003a2c59ae726 |
| SHA1 | a8539fc5a233558edfa264a34f7af6187c3f0d4f |
| SHA256 | f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb |
| SHA512 | 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\libEGL.dll
| MD5 | 3a5cbf0ce848ec30a2f8fe1760564515 |
| SHA1 | 31bf9312cd1beaedaa91766e5cde13406d6ea219 |
| SHA256 | afef052c621f72ba986d917a9e090d23a13f4ab6bc09f158eeb73fd671b94219 |
| SHA512 | bd5713e1d22145b4cc52f4e46b464f443aad6f783a5793268e7d9dca969f27b70e706eecd54cb01be1c94256e6a95864c6b7e50027cef7fa870cdb16820ad602 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\libGLESv2.dll
| MD5 | c783045e4b7f00c847678d43a77367f7 |
| SHA1 | 7f9192ce0b23ac93561aeec9d9c38daa3136c146 |
| SHA256 | 3a39137dcee6cb6663ae9cca424b6b05cf56c0ad7e32fb72cb94549ea9dbcae8 |
| SHA512 | 64e6d4fc84f1217ceef05a22ad63a6618ffdc470b1faf4ad9e2d7bab59e9285527b9c5fd7ea4be673a08b9466434e3c098e839bf6955597e3d8aa0e80589f4a3 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\LICENSES.chromium.html
| MD5 | bd0ced1bc275f592b03bafac4b301a93 |
| SHA1 | 68776b7d9139588c71fbc51fe15243c9835acb67 |
| SHA256 | ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b |
| SHA512 | 5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\snapshot_blob.bin
| MD5 | cadef56f5fb216b1fbf7ada1f894ea6d |
| SHA1 | 373d2a4266be5c8fbf61d4363ec47ddeb2d79253 |
| SHA256 | 0976145cc8c02f3e64ddbf51dc983bdbb456be7fcf3ce54608e218981671ac12 |
| SHA512 | 9c90e8943f9ef6d644fe0fbe55ab25ed371739d17da8cf973893a2e41ebfa0a92bcf1761e72da032f9f3d1c6f1080c62f856aa07a3cbb609c9e8c186f92216b6 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\resources.pak
| MD5 | 67bb5e75ceb8ced4c98cf0454933cb45 |
| SHA1 | c2b1c8c8d753318bc5ec18762c27512a5eb9f9cd |
| SHA256 | 5d63acd4034f7771ca346d138d7478014abf1f3f4386d07fc025dbc2c2bc0bff |
| SHA512 | fd213d59ebc625f6f8b20cc8fde1a22132ce827b81deaddb9ca7993fe0d9616de17e089def338d23c4b6bbd7d3a931ee73aa329325eaa17f8145a58fe11d8c38 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 81870fb2f641c8b845e9c6d1a632f0b7 |
| SHA1 | fcd47d8d1232c189a1c4087bb03a015ce14c25ba |
| SHA256 | 875515af4e7254458c17a98bed087fc609d45fbc8ebf60663e112c37204f6840 |
| SHA512 | 7748c8fb6f356aa45023a56245c43c5171d0413617fb1ac6c75650be75bbe94bd5528e9aa83cd9df9a08af65540a76ab59bc866e5dcf0fa7284122f290bd45d3 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\vulkan-1.dll
| MD5 | a6588e66186ccf486eede8e9223f0d41 |
| SHA1 | 777a5c4028c7675ee1fc4e265a825b35d5099577 |
| SHA256 | 419488597ea255ec61f028aeecd36572d072dfe49b7ab716cd2c0a8e186f24e6 |
| SHA512 | ba8b9577f47ac5b9503aab8d4cca6059c7208bf0eb37999f4fbef0c2cf03032a9359559a0221f332c6cd66c38366fb0e1f1d32173f282afd639fabea8fc9400e |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\vk_swiftshader.dll
| MD5 | 0a071201e4dd76996e273c81533bfa74 |
| SHA1 | 5c92c634027692c344a8e74eab8b4d5c3e049497 |
| SHA256 | 08e34bc25653f9357a4ccf62966d698b7cc6265dc668046a28403ae5786132ee |
| SHA512 | b5de6548c5c743b6f119183fa06aaf67dcd4cdbc3542378ff87916b670ace1e2f4270f6dcaa4caabd01460c638bd02b565267e7bd9617ca92d72187d374bb7d6 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\bg.pak
| MD5 | c80a2008d9f61c182430a728a6e059af |
| SHA1 | 2f2aa33573156d9939e3fc81f8d81de4aac21e61 |
| SHA256 | 5947f567ce1f4ab945dc6dab1599422d412f4417b9097905150d669122e43f7d |
| SHA512 | 016ce835b6bac4d5b38d72c0b3adf4d6b4e0ac04677d70c53e5938acd28b12220d2878bca7875471d008b779ea6ab4972a9875b44304e867d0bb5e4318c0edc3 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ar.pak
| MD5 | 7608398c66cd0b55396f7250b3c8747c |
| SHA1 | 7e8417dfc7055fb9ecbe7cfc97a8aba0bd5a0e13 |
| SHA256 | 3bb407fa588fb801ab241e8dda018461b54010a38648c3acc1e3550c0dfbd75a |
| SHA512 | 5dd757e4f114782eab9ab8cadbfe3179ded594285b3d0f7f6fa5ca50d80d866e7c8ff6a1f44deba8bdf09c04106de635c1da22597c008023b1fdf1cc747b6f1c |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\am.pak
| MD5 | 92ffe73f193d41c5a90303955b2da67f |
| SHA1 | 1d4136d8bb752da2834ebf0f4f62de56efefd78f |
| SHA256 | 325dd137903fc0d9e5010a62a314d9c6984ff82afbdff2254f7c48bd03dda06a |
| SHA512 | 6c4f0aac10276ab84ec4e63ec9ad0e20a1b3ce9d2368ec966cc6471600c3d28df8f9e501b4843bafa5bcf2aab57242559ba430d58853180ea653afbc8f468e67 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\af.pak
| MD5 | 9554e414159d76754147d7e185056094 |
| SHA1 | e0fb0c95cef8e8d1ebeb11a6e2ea03b9067d799e |
| SHA256 | f402c0d8494c9a2fceedcd7845ddf43b62e7d01ddb1d9c8e132efea83b724824 |
| SHA512 | 9e8b41f69605d7bd426243e49b0f22347b211f7d13038ee6350d86d06cc7274bb2ef1918e27548802a5437903a653d86fce85338fa97f8c9642c0e74ed59ae88 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\bn.pak
| MD5 | d179d38e8b9f7e60a943e2fc9f9471ad |
| SHA1 | 8d109081959d194c82b89fb25a514a65233435a7 |
| SHA256 | a45279ccc13390e0d93cfe1e33a7f276a5d9e97f6aefa6b6e14ecc4289703bda |
| SHA512 | fa6f3e45f40e1e48f191e4a65f5d15dabd7058af4537eea3e34998dc67dd250b00e52d1f07b10a73a67a15aada4523e50f40160d98a5f37ef4684a30ff338468 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ca.pak
| MD5 | bd846046383d64073da6eb192f5cddb1 |
| SHA1 | 6dd4bfb982101ecafc14eb35834caa1fe5b1e3f5 |
| SHA256 | 1dca9a7fcd850aecd48288999b436ff7e70cd4a96f47b40319759a800fb8eefa |
| SHA512 | 521ddf6e8fb444b911212501825392562af14cfb5b31a80707fdeffb13c8afb04852b0e3f7e3363a1c3a37c5c35bb1cbe84b458e14e30b5e8d8cb00a6a349ce0 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\cs.pak
| MD5 | 926b4d7f540ce0b1912e5fb6383dabb7 |
| SHA1 | a7adbc83ef38092a90d964d61359a6caa1253090 |
| SHA256 | 2964edcdcb27b2edf73515615501d8af28ad94b5dd31d2794f2624808c74de38 |
| SHA512 | bf6160e46eebf16d6b6f05d330068fa226118457ff03277b59ed4e1a6d2d28b212155cae2f48c34adfa81d20ff71e4206f25052257559f4768323b342dd16278 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\da.pak
| MD5 | c54edb2260d2b907049cdd4772d5313b |
| SHA1 | a12f623e6310b667a9c38b4c9143920d08564377 |
| SHA256 | 318a9ec9e9fbe35d5d8cb9b719ecfbe1ecba9d8f246876c949c082107b439ddb |
| SHA512 | 4eef045080fecaf55bf2cca7d72d039b7d7a7b28021b649becee320a3a8c0753f4e0e5f869a188813e746bad05fd08c726b5c25f40ef9555967fafd93f7f6989 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\es.pak
| MD5 | f6f452e9fe45b56b489b2e99c99848d7 |
| SHA1 | c64384626ea966d3a24dfd4d6c2f42c1cc082d2f |
| SHA256 | 54f85551269c8b5f3985a09d313fdc04c4595e5058163cf147ede049b8faa605 |
| SHA512 | f3c50308531f9654ff394cbdfdcc6029c60dc6659fe60e0326b4855a31f3eedc86f3df82a96a9e7691d12c7a69079c4abe2722f599aae29f48b291fb5a39a3a1 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\es-419.pak
| MD5 | 763f8c8ce092a3d64bbebddf4169e108 |
| SHA1 | 89f2834c1b4e3f84870af29650bda6fe360350f5 |
| SHA256 | 0c816f00b15d59809d30b6611aa455ea1bf8b022d2f887137f1c9d7a5600d5d9 |
| SHA512 | 8401cec52e80a5136543473b317f0e2d920008c83b9667605cd0deb9fa5f933deeda0aa475b436520001c6a7c91118a4d9b11e28a9f4b31271662780e678dc06 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\en-US.pak
| MD5 | 731c45f9f23957acc11b43d775758aaa |
| SHA1 | 12e66417a2dc0c5211ed67f026208ef02fcb40af |
| SHA256 | 02b97817b6eebd7caeaaff750f6462abc68911c398ddf0571b7900ff9b4ea9a2 |
| SHA512 | 1a008df585ef76d9cf4459fc3e617b8d4397e7078c77852712fc7cf4f304081bc5195243437e64074016b05a8cd671db93666042e59b959595ba854ceb330a81 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\en-GB.pak
| MD5 | a44922cb4cd8816b9ce3d018dba9e6a0 |
| SHA1 | 2ed3a8bd4a11bb89d3699f583372ad7aecc46ddd |
| SHA256 | e0df967ffdf872f0a9589a0d74d68a742fa9b956add7a6736b82aebd9e8f02d3 |
| SHA512 | 461b04a170c562382f6c1022f881db9f6928a36c962a2e3aeabee62dd4c46e08b59ef33a2d1d26af21dcc47d00b0c51e10b43f14dcd627f84104ab4f31a9e526 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\el.pak
| MD5 | 35ba1b364ecfff6486daed2a33cc6431 |
| SHA1 | b894b392d400fde4d35bc3b4edc130853cda340b |
| SHA256 | c0434492be64b08f9ad00bc7cff65314822406dfb0c591fea0df6af9b6fc89c5 |
| SHA512 | 5f5d2cf1d5c8158c62fe310338bfb1c9683ea2f43726c9f02fe6d2c29482e3211fd3d61a30dc0cf738549dc7047dfce0dbac36b9d22dfffb558f118fdbb3d856 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\de.pak
| MD5 | 5a252c49719970b8fb33fbc8ec98971a |
| SHA1 | 931834866af36a9e25582a1f631a8cbc965a8e84 |
| SHA256 | d5746f48800efbff7db9d1bb8d6e5a5102eb7d79ae136e0485fd427be1ca63a1 |
| SHA512 | d4e6ab68d0b1a564b886c8bbe60e7bf67c3f71e6fc70ed5bfbb63a974f72afce62e03559f29f46a424908c256e990ff6cebeab8fddfbd79f6deca997cf7117cd |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\et.pak
| MD5 | 97918bb7b36900705b1a53b7851db6b3 |
| SHA1 | f8cca656478c6e15baa8f344dda2704087f54776 |
| SHA256 | 8021814965878c4913d1f9f9d226da49cc2a37746d976f3b84aad7fe096fd14f |
| SHA512 | 6daa8f56c231cfd7dfc17bb5d5c56afca9490f953f22c92365a1f88e995c3a1705de98a725177001bb449070c860fd1c843ee0a499c6dd8321f2e6f4cf914da9 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\fr.pak
| MD5 | 6708a286a0529ba7bed9840d53035be8 |
| SHA1 | af289ed518d9d90c75b69a870615e3f475c5d0e4 |
| SHA256 | 7169684ff44f342b98648839b8963916f7323115dead332c2471baed6264b80e |
| SHA512 | b329798fd85eac1505d0af5cb827ba11a5850eb926be39b414c40b5fdb56432db5f3dbc45237510bd4d1174c1cd62f623c6cc8ab10eb0ca51dea5d5487f0b0fd |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\fil.pak
| MD5 | 89a63085d14b1b80f259e166e6ffe56d |
| SHA1 | d1326c879a6ad203489226f7c5be08c897be71ac |
| SHA256 | 00b8cfe6131499a8a67a51dd8560a965a2abb863d52635dd3931df0479c3f5ee |
| SHA512 | ab48fc4bc604648b4cc010a530fbcc5138b9d0a0f09398d2a69b6219799a43a052722c47dba96c9d001b4f6ddd491683c0a871c19ac2abc12843e68f9d4c2cf4 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\fi.pak
| MD5 | 3acdfec7edd4d3eb473f0deb32713c14 |
| SHA1 | 41fdd4af5f9fa78f4f81d3996ecafd69587f05ef |
| SHA256 | 4bf099ac8a76449bf597caf005790f5c02efd533b9a329c5fdc460d38f77607e |
| SHA512 | b167caf1e5ff38b0c80f891715866a7754e9bf3f1479aa1faa3cf3e8ae7fe9b71a87109239750f71855330b6d20704b43e814f188672aa52a5dc6912297f1997 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\fa.pak
| MD5 | 04f629bc5fa6d761f1d7b5dc28a6b97e |
| SHA1 | d80f74a2b6508bae49b8344809062b48dc2b2dc5 |
| SHA256 | 9b5334e4883a716c5616c859889aacd7b179b30ac65e5657198eb4e877700f81 |
| SHA512 | ea412096170ae29b33f3d54f17fb9f2f5a41035df56e2af9596ec7c15422277943c5c651df6b3a232aca4e979946732bec496da03b3e47e0d4629675751a4c67 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\gu.pak
| MD5 | ba34657d3f5ebe61b36a807c4a053d72 |
| SHA1 | 163875c4ef39e3473d9d5aec4b6273f34a90a02d |
| SHA256 | 8c762963cca8eef2cbd39bd7bcd8b809f3b57a75353e687743894add9c19440f |
| SHA512 | cb1c4adc59c3e99f819645ae84e3e6b601b340e05ae2182c0b1568bbbcd3eabf7bf09ef34e5d0757530997d0734dc52dd744b8b0edbb3702a3c06e29ba7f0c4e |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\he.pak
| MD5 | c47322869b458a1cd231f3dc385f80fb |
| SHA1 | 4155444dcb69c5b64711139cadb32a6df95ce3ae |
| SHA256 | 9e5544340da0e0aa28298e68765716a3960a28e50d86146b5324fd70fd756b41 |
| SHA512 | ca4664a9acbdd5896c6a0921e09d99f1a7ce3d7a80338c1a4310ad499a5a2cbb60ca074a02fcff128789da0a4cf82d3869f83836ae3ae3171085e58d6155fb73 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\hi.pak
| MD5 | 6d3ce5a6049eda31ecbc55a9d3abb163 |
| SHA1 | 100afed265c77a20f6636a0ab48c8a723e30b087 |
| SHA256 | 8dae029a489f1bd7530650a9cb1be1f03741e1d7018503feb3c78759da8af531 |
| SHA512 | 3668952ea707da9ee8fd3753c04d5dfbed97685b76dcc75dcf8d6a3699a832c3ff0db9cd40810f6ea9364f2b7aff4b1cd68980c74b59808fcb4900a36d933bba |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\hr.pak
| MD5 | 2f7462a076c14f2c2733a41dcc5ecf1b |
| SHA1 | c453dbf62d1cfe85adb64ae374b6a79cff2ef97f |
| SHA256 | 6dcc7d5d771475874471b78ee84db0230341f8634f4b38a9cb90c37226d70b00 |
| SHA512 | f1df750b779c908547a38b49bae0ed8734fe37cd96d3502186926e6cbd657c248c528cf9944353dfd26695ab384f17f22f0bec251e65a20906da4d67852cc516 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\hu.pak
| MD5 | f55e37076460b2e8b5ed0f414618d256 |
| SHA1 | b313287de6197f1bf9f9770e3d2c99e70c4d8179 |
| SHA256 | 61854ab102bc57a7ad7b85a4fa008c3f071306838ba1a0491f68c19153decd49 |
| SHA512 | e8121a064a3209878f24c33e9c20c810c56aa15476909de1ce076c80ef635e69a60ac655b7714a116951de5b99bb690827edafddcd5e6b00ee6310807d78ce58 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\id.pak
| MD5 | 260d34aaada70c9d491bfbedcf5ca8d1 |
| SHA1 | 5fa83a3e53e6aa9eede9fa34a84eb55ee8493314 |
| SHA256 | 64a8a25717ffae1855114d84b02223ad5b3963c1c6a21c826636146726d0a8a2 |
| SHA512 | a19ec6fae22689a8f851c1a782eb748ee9f38dfad89f05291c01a6070b24a8a02fac4bb4a441421f411966e8bc08e996900871d498efa307ac1793191710ebd2 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\it.pak
| MD5 | cfb2ddc4caafd038db00c1e7378d316e |
| SHA1 | 2573f32a41735efde916f0a73b415ca689c0dd36 |
| SHA256 | 9395bf9a547561df6cd20d8e076452369cb72184f215448d1acd802dccf3a47d |
| SHA512 | 8a02ca980a8de8af8b179d610ff25557f81f67bfb5a9f82511641ec87b378a2ab7214d5ec681797acba1a865bd726cb9c5f609647ae6ee71a393b7e16fc06f8e |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ja.pak
| MD5 | d84e12cecf6e4355933ed68816f090f6 |
| SHA1 | eb35ef52f341442dd887d43a52af7f02926d5288 |
| SHA256 | 8de18410e38f4036367113bd4ed253a4957709d87e0aeb11134742bc89e16d62 |
| SHA512 | 9dbe703493acb7b48ee1dbc4458ce0b9d757419e3fbf01379bc8dcbd22cc30a99348f7cb96840c19e873d6d97bb4d1a3baa4fcd6e0d332480273020a6e13a375 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\kn.pak
| MD5 | a4cce1cfe646eb2c268493603dcb358b |
| SHA1 | aa19ee1cdf8776d07bf35614ff063aed5a798ef8 |
| SHA256 | 01250aec7310bb59e0e847382325f940ea2cdab00369c1c7efe2f340d01ff806 |
| SHA512 | cecb7794a288e879324e74e7522bee61a43072ab58a289b686f1d48d98fe9a0d29a5505b8c891fe411b823c3d8366d6c1cffbcc1deffa6c7d3a04339a769dbc7 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ko.pak
| MD5 | c21dde26f43530135ef37323b00dc1fd |
| SHA1 | a118e9713b155bd2999f04c3075f2e1bb05bffaa |
| SHA256 | ff88b56be0614232947bfb07e6beb88327a18ebec98cece17caa9b7cd8e6dd24 |
| SHA512 | 0db144f03992c41c3703719e985183a6ec988265e5a629d09bf683d9b208656d605565d6b5597cead909c814f25ce200739e65b1327172afe10d395a5018206c |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\lt.pak
| MD5 | 93a0a8181e8c251a2375645a552293d6 |
| SHA1 | 57faf2e9f965a49d5294cf9759b9b50d87c2ad1d |
| SHA256 | f87b2baacdde69b2b24dc7859d47bad0844cf4d275072812aaf4eedb10318450 |
| SHA512 | 51e1ff74442cfd51fd2fe218755335ed99e4850c8266425b8d55aa0abde2712ab765ff909d6ee620268ade9d7b51a93be659d6a52143da2abf4ec309bbe9f2fc |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\nb.pak
| MD5 | c2c49ebaebc448cfeb7933ce2cbd6ca6 |
| SHA1 | c3efca0fee40a3daf7d69768d7659de60b3e2c4f |
| SHA256 | 67d997fff8a24eaa030eadede7f5345fff5e954e96bc8f36d399839bed998774 |
| SHA512 | c500bc1097ed9077742c5708bd55dc4215c45f751522131b8203d7ae802d278ffc3a9ef607325bbea5b650d594dde0d74e7fa4502e1a0f905534c32fa1521bba |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\nl.pak
| MD5 | 9229e4ded3219c948747a4dc9a6a5e32 |
| SHA1 | 9147b2f2ac3837588aa3b71eb4a255d29cab0e74 |
| SHA256 | d88b02d74e01b9350d3ac9c48fe08333ca9c68e3e3824d64fae86c5b8b531feb |
| SHA512 | 8a81cefd9fa718b18de87555cb2d5c8e87ed14921fd3a0247b47988a1f3896d63b16dbf86fbf103097c73181473c37393c0f4e9e0a07d95d847aebcad526e8e8 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ro.pak
| MD5 | 36f8327b36f2c6c003f864895968af2f |
| SHA1 | 248d88aa9fe46cbcd013ea7d7270f8483215c073 |
| SHA256 | 6343589863bdd2ae81ec9c33e335048fd8792d2c2e8872f91f7a325a1f0d97ac |
| SHA512 | bb03b5af3ddf676dadb35d5b94f40ae1c95cba2e7175c87d128c319e0055dd91f412883daace89fa33a17b9761f1cd7bccdf261b16ffadd6e10da594445c2c8d |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\pt-PT.pak
| MD5 | 4aa908b531adedb0ee795704ab72e248 |
| SHA1 | 2ea9f4a7e561e70b06b675b3fe35ccb0f2a12fca |
| SHA256 | 72ca754dcb34c54b72087ab7fd5a4a3fa03e09cd1ced906d99d6525c7a19ee9c |
| SHA512 | 7d4a1add737136acfc7ed7848b0ee54646d5c8aa3a54addd7cf0340ebf42b58f6ce2eff56a2ba94125475e7b64989d06fedfc8b1ee41ece63b18b1f95686ad08 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\pt-BR.pak
| MD5 | f18cae95b8bb6760d370b435235c5629 |
| SHA1 | eb62bc4249ea8e5688c67aa65bfa2b628fd5e1d8 |
| SHA256 | 952234ef1d2792204f4e65cc814e9fc6dc007610668ceffb980c74fc0167ba0b |
| SHA512 | 218e9e4e59c875fe7931f16e6df877f67b8466a5e8a5565a1cab0f091b40b0652eefcf205536f5f4b8697966aa201092c26249142dcd8b40e055529e23ef7819 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\pl.pak
| MD5 | ab94060826404cc09d5fed31f63cec05 |
| SHA1 | 20d1cea9d2e60b9bbd4fddb38a652856a3561008 |
| SHA256 | 03258ecf731487231cc7eab8f6cb96e92b7ede4cc5b63c3def6ba08e0f16da10 |
| SHA512 | a9ec28912bdd2b8b1e1b3fc4d5c76139253ee4ada8f0d562ecd611d7366b0cdc97c379c5ae93c9db69eb045d8834cd0e1e0ba84813ac0071b5a2bf6cea81173e |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ms.pak
| MD5 | 578dcc1aef901d00a57f2698a6e15826 |
| SHA1 | 4dca370c3b22f9f54a62d31166a84848336a8fea |
| SHA256 | e5e77421c5fca5b1eaef96fbf33c345c63119015986163cb43d65075df6265d0 |
| SHA512 | 073aecedf4132faef7e896e6840bb6297e866a06fd65a7490f0a61179013f27b6592a4fb2be91cb5e139c77f6db7695bf60e5788154e51c9ab7889f6e7040a33 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\sw.pak
| MD5 | e2958cf2ab6cc74551c8360e6cc34333 |
| SHA1 | 806aa1129f228ee48744cfa55d061149b37522b0 |
| SHA256 | 51482431411be2d89bfc026b9acf9ce1a0fb971376468a47829a15392b47178a |
| SHA512 | 1f5f306b7233279800d18fa461f4c94ecad809b2bb7c292fce16abcac2e963f7567a86e43a3c950fc86bc73b4fef8451389fc57ac6750fe7546afad8ae00f589 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\zh-TW.pak
| MD5 | 337bba163068f2dd7ff107ea929c8473 |
| SHA1 | 536ec5756f229696dd6f875180778afcee1966fb |
| SHA256 | 58753d4313ed7f548df16a9cd9aa1f0e30cebee675a76b8359ed23fc95825574 |
| SHA512 | 000b98249d7b0e4c7e463bafdf827e3dc5afac447750320d6344c984f4ad41cab5795861920525f03dcaeea5aa3615684101b08bbc103d3ba01065676c8bd64f |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\resources\app-update.yml
| MD5 | b0e31c54422860c9390a2e456d8f4624 |
| SHA1 | 1b73cc7e00cbcae94a3ed921fbd055a393dedc0c |
| SHA256 | 897dac554968a2c49044a5e601cfcaf7c24d41599a58c03e91c62bd664b60ecf |
| SHA512 | 561cff0a281e073b0b2e3bc139a18b44ee1e2ab147d99ff007d5deae48c0c4c847bee4e14ad2e36abb27f7d9240f95aee7fcc9987246c717ba48666f550cc121 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\zh-CN.pak
| MD5 | 156894db535f0fbe193d66c0afb4b112 |
| SHA1 | e347caa3c41ea7461c217c029dbca54567fbe27c |
| SHA256 | cc5a411d3bf0ddfba9e5041dfeeaed70265ba949f7b7ccba0170b88e3e14ceb0 |
| SHA512 | e81a0968598536e91c17a1998682cb5fff42bd3199c41b64e2d76827c96b187e8f86182843c061735dad2b7cd5e32750e473c1a5f9c82bcc0dcc30f1bdb8b806 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\resources\app.asar
| MD5 | 04261cff6d42b7dac2b2429df634387e |
| SHA1 | bd26ae0ef0c42a898f7a04a5bd8bcc7291ee11c7 |
| SHA256 | e0abebd549f6705666f056ac69cfa9989ffc9ea19eb86a562ac99ccacd8bee45 |
| SHA512 | 0163f376c24cad9e2f189a60eec22f34ebc2526109fc9574a0c0986177e01179218507cf55e60c39a64d1b410f6e2cd2432b9523f6ac3aff7696106e6f482f13 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\vi.pak
| MD5 | 593d33203c539d027c5b5bcc13bb38c9 |
| SHA1 | 2f6288bc43ddf31e49a733af97e3e9e2fb8a2940 |
| SHA256 | d435c4c7154c24982185842a09cacd343cea77a5eb7fb859c4d38973cf240a42 |
| SHA512 | 7c41c74f7220270da242562b93db8db053c0a7b08fdc1864d063706caccbc6926f288ae6bff1de43af656af67fcf2d8ad57f53d791bbc47a3b29a6a0856a68e5 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ur.pak
| MD5 | 305d39b5de5a1935d786da4bfc736dc5 |
| SHA1 | 8dd952fea4dae937b9f87d229638cd22ca197a8c |
| SHA256 | b551a93a300ab78ee6da5087ea417584c4fd3941fbac99c84c9c58be2c88a7e8 |
| SHA512 | d75ef12a56c2dbde5c7a1967297270f7d717a366776f6b2a316784f033c71fcb9d25dabc857398e8459d8ac40aae1bae59e82f551e00e9b96bfbea00a54fcde5 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\uk.pak
| MD5 | 7f8d31b43f7319164bc0f6453bbaf007 |
| SHA1 | 4be254da0ccb13040489403cc2d8015f448292da |
| SHA256 | e33b1a611feca93d105dee7c867521b5fbf27da38532ea3ca0aec61bec7f6108 |
| SHA512 | 9569bd24aa5d2f9b0a13784f5f3d98e636f72177c7ff7a14c7d390f1d5f0b39ffab512276f70e4d2df0d37fba94a2c2322a840ba303a4cde33ccb20f7980395f |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\tr.pak
| MD5 | 4727af70df9094888ba46f3a62eff264 |
| SHA1 | d2ead301efab607d040c69c238a06d3b4d080717 |
| SHA256 | 026fc65ed90fe356ce2b5e2b459a4487512d89e48f0ff8b044d6739ef51c1658 |
| SHA512 | 5bb8dd6ad100581a7e0cb87b57e054ab23551c263144f7ffebf729b2280a1bd95e92eba9c64b80e2f77ce59c3c4315ba2b5253ac83dbb540828e7a59a70e74ac |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\th.pak
| MD5 | 7512a162ea0b65dd9477ac8c190136b9 |
| SHA1 | ae5fbce9516882a0d58da9ebee3c767c7ba4c305 |
| SHA256 | d01ecd4edecf1809d5c2133366df2502a4621e88d894817e80b913f3a0926fa4 |
| SHA512 | 425fd803cd3ed9589df5d04bb8ca4b62af0e573301d31c48a1a05bf3b707a0672e1a033965946223e5873a98eb3c9d52bcdcc1296a08cb4971d0b1b6d2e95eb7 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\te.pak
| MD5 | 1f20952c1a61fa6e42a7f055de8986ea |
| SHA1 | 301ec89ca80695865d884927c4c07c6777fb321e |
| SHA256 | caeba6c853a0ee12a802fb9f610a95c676071414c1d8407d18b05f2fe8ce6bb7 |
| SHA512 | c43f5316dff21cd08f86e0d3d7c407449cdc751ff466683dff9a51e3a07bda203e8e22064bf240726e6e389b661d6dc2bf5ed5dc42750539990379e513228d53 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ta.pak
| MD5 | 474a2016df48f886e91fb9fd331d9bf9 |
| SHA1 | 2548525143292d7d150f5014b44ef294ba7c4189 |
| SHA256 | 75638ac7fdb226c0840d5c2edf763bae35afa1f47e89199d9724ff46c003a2c2 |
| SHA512 | a4c2c2c046420c77948a0479cbd2be3aa11c1b347eb508d020231eece5cf0c2cba8d4f6a0e9f875dece4a16413157fd9e9f1cf09e1746335eb11e8f8590cd013 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\sv.pak
| MD5 | eb39645ebed4f980ab12585feae2f4b5 |
| SHA1 | fc7c471b93f59bef13f7bb4669e683385a8b9dec |
| SHA256 | ca34ee1c147358b5e32b5829acc0c355708925dc8df91c21d8e495c7485fa5c7 |
| SHA512 | 5fb25d7dfca3483967a5262d2c62b5d37a192f5a7a19dcf6722a9a8753e299e567bf7f26171859c374c8d035bb521fb4eddc4821aebf9ceea1253c63e1595c60 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\sr.pak
| MD5 | 02bdb4d99bd466eed5fed3445560d52d |
| SHA1 | c24e1895145b3066840be0d349f5e866e46e2a39 |
| SHA256 | ac09005a83d4ac8f61855c7e301e48a753d2f3558a04cdb94f23b539e2086e54 |
| SHA512 | fac7bcefe31f41b6e37f215f271b33ab21dad281c1b0bdaf28769c99e31bccca625f213fcfd7c0047b3e2104a8f51b2ebc5fb374b32f58ae22c4130e315aee1e |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\sl.pak
| MD5 | 299acf51d74b95ae4272730c437763aa |
| SHA1 | 8a0ff73f37d830b6677e514371a5825631aa455d |
| SHA256 | 26e29cd70c4143d7e9fb65e86e02c9173997f2fc062633a5edb2b7df55942157 |
| SHA512 | d7d298a4eb476a3cd4411261058f6f9409d0dddb3756cdc1e27e64280efc8b84fe40afbd92c754d56f58ea333623b0481766320b5969f5dd71f0c2a93be8ff77 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\sk.pak
| MD5 | e9bb6352cdd0f1c2fdd543a48ba076fe |
| SHA1 | 50053620d7be5566bb3ee588feda1a4daa207672 |
| SHA256 | 441155d63257beaac9e2998afa1a9e65957286ed1cd9e0670072a63e24ff3f8b |
| SHA512 | c1f87c7976159c8ff3e28185adcabf93d47ace0dc9b95fbaa4d1e5ed9ea8257263276880486a4c17a68a5869e6ec640eaf81f5ae6c4481e351e73e7b4dd9dd9e |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ru.pak
| MD5 | a0072d84d1bcb2fa7bbe7ae4e06151ba |
| SHA1 | b9227c6cd4ff9f6db6a8edf694c444beccd369f6 |
| SHA256 | 8c169d6995d97feae8b8ec947be27697ca0ff731b593fff36163e4f31969a6fd |
| SHA512 | fad335e81a24427f2b0a2853733da94c9839139a7982796bf742eacba306ecd9998914bcac49b925d5bb18953091a4dcc62ea6a628fff125c086099cfd33e3b5 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\mr.pak
| MD5 | fcaca3a4264563461b42b16d8fde4b02 |
| SHA1 | af37d4e73588d4a6d3d52f2dba67414393c9b168 |
| SHA256 | 362df1aa112a0a521617c0496087b3547a242eb79a5416b8414c5798f31e187d |
| SHA512 | 9114dc4e7da2affdcee5c86b1f1f78e47279c31d0f76c8deb1eac545e0268b9592463bbe1a4b433ff4fcab1ad4a596655b775608515bf7455fda550d3bf47b8a |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\ml.pak
| MD5 | 70c0c80fdfc006be0ff502e0e6115b2b |
| SHA1 | 43f96be4652ecbd22677b18ffe2260b79bcca19c |
| SHA256 | 878e268428ec7aa51105c921740931c545d4ba6a274b367c52675c90741d23bf |
| SHA512 | c463c5d91b3cae6b2c70ef6b7e3758bacecbe76088d813e2632bde7939c1fb28bad3cccf914a14861b8611a490ea74ef2d8d10e7336b203d12cee9904e8f9423 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\7z-out\locales\lv.pak
| MD5 | 07405dc51eddde72e367737c093c20db |
| SHA1 | c66b8eccf167060c43b3c53631fc0c95b3afe05d |
| SHA256 | dbc860a35ad08e4f502b8784ca1548110d3c7334478f6c392db42f52cb3074f2 |
| SHA512 | 98f276fc137d6592cdbc1c804dd59983e290409bf7908137627ab114ab485e332f568d28c60a35d1dcb3d9753c2d1740065c654396af5f56f0dd5e1dfcffcf71 |
C:\Users\Admin\AppData\Local\Temp\nsq7991.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Local State
| MD5 | ccda6758e905092f652bdddba86831dd |
| SHA1 | 7434ac52ef0e78b04fe13f04ef20a286e40a4efa |
| SHA256 | 9cfe2d5d0e57d110789b3ccb6305f4388e1c1ccbe0eb83f0b599849c6f0e07fc |
| SHA512 | 041b9a4375ad508a5a064544b07647f5e131b34914c715dfb18784b724ef097a21315a79ee3d26edf8a1f5e902dc3cfb86365f3459e34cfa76236480c0fed9b6 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\index
| MD5 | e5f3cbfac3d6cec642cbbf3af6f34b80 |
| SHA1 | 77ce8e88ea43a5b783f0df86c85c1407e096617e |
| SHA256 | b32521f2449bf74c4f6677c095b6abd9ac4c0a398fa6c0bac0191c19eaf185d4 |
| SHA512 | 0ce0d863614b027217c09cb6cda1111473553fb289c849965b6e2c4b74b7f27239fe01e2bc5494999813fab86fe558f73643dd8bc66d688d7b3f7e7f8c4fd841 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\GPUCache\index
| MD5 | f8a74759c118d7e68d39df02cf6af831 |
| SHA1 | 84b277bc6cf815a9bd7783fc11bbd72041f6ec3d |
| SHA256 | a0450a95bab4034e3dfcd7e12ea7f6726a346a1582228403f1fc44832fdb00f9 |
| SHA512 | d6e8097cb10611d2ac1e1183db24cef743b0ea452cd1c81cc9bb563865bdc8a5a6966585e6af959b0ac85094adad4146fbf6b610b1d07f165427005d5b2d0536 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log
| MD5 | 36ca6df589d64bdea0007ce0dde51c89 |
| SHA1 | 4ced0d158fb0525dd5673f5c9da57bd2f5fc3c69 |
| SHA256 | 2e1b925c8da4c9a43d4ecf2f2928466265ccfdaee5cf6a80b1654f5d1a21473f |
| SHA512 | cab7ad58b64586ac0204b97d0c40be10555170d902574756d9780bc82ab51b7b10543e50a870e9601c5c09de9a80bb3b1db9021e49c42c209781d35cdb2375c9 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Code Cache\js\index-dir\the-real-index
| MD5 | e39bc17ebd01d9aa7d76b132fbf3f445 |
| SHA1 | 2fffe645cc0b43a25074dc6ac50ac31bcd276295 |
| SHA256 | b91a58995d053deb2246835cfe9b14a1068d2f8df108d291fcf8ce877d716bf3 |
| SHA512 | fd1df674f5dd73150bc72618020250aaa4610e52c3e54370881c401625d9eb88332a7404ce86643b1358607e1053a7eb736bdcfc75ea6ee816064a678c31aff5 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Shared Dictionary\db
| MD5 | 71ccdda9f3186c8e729bb559f93bb992 |
| SHA1 | 3712c11bb21b8e2a74bb879d47b2819ed1ac14a8 |
| SHA256 | 79b107307408e5ad9a145c87533316174fd13f4ad943497d079522fbe325b3b1 |
| SHA512 | 19f8134fcd1211964111b07884b52878b1649644b6ec623bb586df1a9b7dabc7f8c8a755d2a52c908b563bdd968135f4f703cc35103696e40d0ab0020c8dc4bd |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Shared Dictionary\cache\index-dir\the-real-index
| MD5 | f0131a558dba2b19d3f6da7f4dfd8773 |
| SHA1 | 7eb9486a14fce49a41df6ad3a8ffc8c1a9d1ac90 |
| SHA256 | 169c45d79be8aa5910c7d840e44ea094c021ad1dc4e282cd4fbf0f1150e3b1bd |
| SHA512 | 02b61bdb8e5b492d4ad1e811bfa42443dd3c11f9c018916bb0d858a8723f6aeda7f3aca80dc46f5c81259132b6a1b1e9f75bf197941c3a9c5d4e026050c59e82 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\f_000001
| MD5 | 057478083c1d55ea0c2182b24f6dd72f |
| SHA1 | caf557cd276a76992084efc4c8857b66791a6b7f |
| SHA256 | bb2f90081933c0f2475883ca2c5cfee94e96d7314a09433fffc42e37f4cffd3b |
| SHA512 | 98ff4416db333e5a5a8f8f299c393dd1a50f574a2c1c601a0724a8ea7fb652f6ec0ba2267390327185ebea55f5c5049ab486d88b4c5fc1585a6a975238507a15 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_0
| MD5 | 7e1c279fff240202d8a4894a313ffc11 |
| SHA1 | 98e366baac861be2b1b1599c267d61b1f515cd89 |
| SHA256 | 18c275863790f2044827ecf3f5bb9fca23f4f54451be51062b98a1ae4f7deafb |
| SHA512 | 3460ca15004e29b4f3fe25fdb571de835361a12a1156235350f97fe44e9ce8b4d3dd68d856c5a3d0be3267961cbe2453c09214d73c5fa7d79541db50d99c4824 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_3
| MD5 | c4417828c8b24ccdcebdce3121241a85 |
| SHA1 | 087cfd8ab752d1dfc3e0a44ede34aad68b4b3eb0 |
| SHA256 | 9bcc4b65da30f56b4e65d580b8c18bcf2777ab351df127a45dfefc85fedcc2bf |
| SHA512 | 598f5c94efae13db938a296e473601c7e9dcd1c916113f9f076ddbf6b884fcd998474a1fddb09e9ceb29c3c44a86ebfcc20e96cc3c988e909da698a1af358c55 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_2
| MD5 | 43738a2388a832a8b032df6c2c0699de |
| SHA1 | d7a29d04cdd7afb3bffd65d1282dab5b687758ec |
| SHA256 | 08938c49b2bfc319d2ab5b32f2e1603434c42e914de05694e0a490235fe364d1 |
| SHA512 | 4b835ea116684369d1be58528d2c15aca2bcaf223d983437d7a22d020caca854fe532305b5233d7fcd319b50f8276bb1eac8ab1ab8dd116275c8524625f64940 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_1
| MD5 | b95b94c81f1c499ee61c97b569209551 |
| SHA1 | e4c96af039f9e8a5d232baea9458ba5972566cd8 |
| SHA256 | 6f071d14d5277562b6fc862e06c209ffa0915bd67d9ab460481ccf99fda7d461 |
| SHA512 | 3baa8f0fc3548b0da35f52bfd5d0cf78c259a032d846b27cd2abf2eefcc01fbd40cd260b23b69585ac74b1875acd8a1d128596df72d437c74da643b637bab73a |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Local Storage\leveldb\LOG
| MD5 | 0a45177e96d6e00d3b07f27fece4d157 |
| SHA1 | c9dd1b8ae0896358ca50f4053fa7fa846a939191 |
| SHA256 | 930989427e6433e67638b7d61d399e333ab5d1e41db955cb648c6ed6688e7d35 |
| SHA512 | c445835a7a4cd254aaca6c0eb720c5bafb359d3b08891bfed552499c7061a7f33c3fe81eaa2ac5843e1dc20b0997fe6d9b2738118b44c5dfe11c5e11c28fc8bd |
memory/4892-1323-0x00007FFA199D0000-0x00007FFA199D1000-memory.dmp
memory/4892-1324-0x00007FFA17CB0000-0x00007FFA17CB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State
| MD5 | 7917e5326b6458ef4791f20f19b24fac |
| SHA1 | b06f56ac933288db906e88698b91d6b04bfbc05e |
| SHA256 | 4543801637df5fcfee3554bedef011f570cc7d5af10eeb39a0ce126935cd9514 |
| SHA512 | f402bae53d6c03b17c563523cb37fe947517cdd3af7a5001b650f7314fc122b5f0a118821ce22b5ea1c03ead3d06acf53dd5f3bd4c9caf917259d2608a5d03b4 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity
| MD5 | 74398d3638c00dd59c5c72a7b0cf57a6 |
| SHA1 | 4760d28b1dd9bd898e0605c1c87b449d514eff7c |
| SHA256 | 55ae3da7acec3bcdd9763d57b76caab30685bfda0699d9d6c8141b6cfd1b6800 |
| SHA512 | ce5211de8a31141df815346b13e841cef9cdb5cc50afab5b42c26b88dce71460f942127006cae7a09b12dd4a20c61053c77e18a50c11154a943eb2b2eef04151 |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Code Cache\js\index-dir\the-real-index
| MD5 | 4e14e39c11b6d44450e00bacd291a604 |
| SHA1 | c25bf977debba022d2e46e6227d4ef03f564ef3f |
| SHA256 | f798c926b26d3d710f7e4252e4c30e56f6855350f4a1d29382e71a407b2f4a90 |
| SHA512 | 6d40f180e90010b4ef7645755fe4b14312fd6dd8d8508946225510473c3cdd05fc87ade826717714c058fa767c7d78511b61574fd01fbf2d95a8574da283bedd |
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State
| MD5 | b0fa92527e379a2a2a4b183b26942cfa |
| SHA1 | 0a40f1b513383198c714e94346c23320ea9cd8a7 |
| SHA256 | e681807e6087bb7064cc4bda435889924034d706c0ab5c4ae582d41c155e3e70 |
| SHA512 | 302acc25ea8eb02ec26386d48e17f620609593fd6d12d583b005442c4729ac140df60180728c9ba03afd828957f7be44b665e354763d882f0b43904e6469a0d4 |
memory/4316-1947-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1958-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1957-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1956-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1955-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1954-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1953-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1952-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1948-0x000001E820900000-0x000001E820901000-memory.dmp
memory/4316-1946-0x000001E820900000-0x000001E820901000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
204s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
204s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4948 wrote to memory of 2080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4948 wrote to memory of 2080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4948 wrote to memory of 2080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2080 -ip 2080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
177s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2820 wrote to memory of 3264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 3264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 3264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3264 -ip 3264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
204s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Ultimate Tweaks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3472 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Ultimate Tweaks.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 3472 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Ultimate Tweaks.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 3472 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Ultimate Tweaks.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Ultimate Tweaks.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | 6b7a6fd94af4915e6512a2eb986c238f |
| SHA1 | e55f47a7b3f05a309ff11a0e33b2bda4906e4213 |
| SHA256 | 8f3ff8e1f845235c88b116cd7165f6fa0a430907271972e5b19e0e6e8ecb1312 |
| SHA512 | 40e62b7628e9220741bede889a2637ffdb3e70ec0beb9aa4384d9e3339554de3c6dd921a11803d6ab7c463663de1bff30f1c5c5f09ccf5fca8280f088dc42a1e |
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsDialogs.dll
| MD5 | 466179e1c8ee8a1ff5e4427dbb6c4a01 |
| SHA1 | eb607467009074278e4bd50c7eab400e95ae48f7 |
| SHA256 | 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172 |
| SHA512 | 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
286s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5012 wrote to memory of 4996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5012 wrote to memory of 4996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5012 wrote to memory of 4996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4996 -ip 4996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.141.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
204s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 544 wrote to memory of 3792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 544 wrote to memory of 3792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 544 wrote to memory of 3792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3792 -ip 3792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
305s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
229s
Max time network
294s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
205s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4108 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4108 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4108 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2192 -ip 2192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-09-22 11:26
Reported
2024-09-22 11:52
Platform
win10v2004-20240802-en
Max time kernel
96s
Max time network
206s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3616 wrote to memory of 3780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3616 wrote to memory of 3780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3616 wrote to memory of 3780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3780 -ip 3780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |