Analysis
-
max time kernel
170s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 21:41
General
-
Target
Solar Lite Installer.exe
-
Size
1.3MB
-
MD5
dd8c5c7c305665dcad8e5782c95f4a89
-
SHA1
11030215601ef6dd6c5576d9562fb5be2c2138b8
-
SHA256
007cfb9b07a76a2ad7280deb4cf9c88d1f7e7fcd59ba7c028bb47dd351e46498
-
SHA512
95c9dea6105d774f6e25a2384dbdbb511f654be054deceeb7f09ae5957afc6f234e2b4b3087f82b2d75c6501cda069eb736e54ed0e34ae2139393a18a05908f0
-
SSDEEP
24576:ewYsivZnt8U9GTQcPTAcySiDNpfVkqgfPyU8/oa8reuaD6UwYsivZnt8U9Y:ejzZnPC70nS4pfVkqgy6r3aGUjzZnP
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Possible privilege escalation attempt 8 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Drops desktop.ini file(s) 1 IoCs
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Modifies boot configuration data using bcdedit 13 IoCs
-
Power Settings 1 TTPs 2 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 44 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solar Lite Installer.exe"C:\Users\Admin\AppData\Local\Temp\Solar Lite Installer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Solar Services\Apps\Solar Lite V2\Solar Lite V2.exe"C:\Solar Services\Apps\Solar Lite V2\Solar Lite V2.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Enumerates system info in registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c wmic path Win32_VideoController get PNPDeviceID3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_VideoController get PNPDeviceID4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg query "HKLM\SYSTEM\ControlSet001\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08 " /v "Driver"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\ControlSet001\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08 " /v "Driver"4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C Reg.exe add "HKLM\System\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMHdcpKeyglobZero" /t REG_DWORD /d "1" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMHdcpKeyglobZero" /t REG_DWORD /d "1" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set UsePlatformTick Yes >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set UsePlatformTick Yes4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set DisableDynamicTick Yes >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set DisableDynamicTick Yes4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set NX AlwaysOff >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set NX AlwaysOff4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set BootUX disabled >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set BootUX disabled4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set HypervisorLaunchType Off >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set HypervisorLaunchType Off4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set VM No >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set VM No4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set VSMLaunchType Off >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set VSMLaunchType Off4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set IsolatedContext No >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set IsolatedContext No4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set Loadoptions DISABLE-LSA-ISO,DISABLE-VBS >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set Loadoptions DISABLE-LSA-ISO,DISABLE-VBS4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Timeout 0 >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Timeout 04⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set {GlobalSettings} Custom:16000067 True >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set {GlobalSettings} Custom:16000067 True4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set {GlobalSettings} Custom:16000069 True >Nul 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeBcdedit /Set {GlobalSettings} Custom:16000069 True4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c Bcdedit /Set {GlobalSettings} Custom:16000068 True >Nul 2>&13⤵
-
C:\Windows\system32\bcdedit.exeBcdedit /Set {GlobalSettings} Custom:16000068 True4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg ADD "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 5217772 /f3⤵
-
C:\Windows\system32\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 5217772 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "Latency" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "Latency" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "TransitionLatency" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "TransitionLatency" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DesktopLivePreviewHoverTime" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DesktopLivePreviewHoverTime" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "1" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "1" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ActiveWndTrackTimeout" /t REG_DWORD /d 10 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ActiveWndTrackTimeout" /t REG_DWORD /d 10 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "2000" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "2000" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "3000" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "3000" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "2000" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "2000" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_ShowRun" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_ShowRun" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d 24 /f3⤵
-
C:\Windows\system32\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d 24 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility" /v "StickyKeys" /t REG_SZ /d "506" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility" /v "StickyKeys" /t REG_SZ /d "506" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "DelayBeforeAcceptance" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "DelayBeforeAcceptance" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatRate" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatRate" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatDelay" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatDelay" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "122" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "122" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatDelay" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatDelay" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatRate" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatRate" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "BounceTime" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "BounceTime" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "DelayBeforeAcceptance" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "DelayBeforeAcceptance" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last BounceKey Setting" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last BounceKey Setting" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Delay" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Delay" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Repeat" /t REG_SZ /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Repeat" /t REG_SZ /d "0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c sc config SysMain start=disabled3⤵
-
C:\Windows\system32\sc.exesc config SysMain start=disabled4⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Wait" /t REG_SZ /d "1000" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Wait" /t REG_SZ /d "1000" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "126" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "126" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_DWORD /d 62 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_DWORD /d 62 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Version" /t REG_SZ /d "1.0" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Version" /t REG_SZ /d "1.0" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Application Name" /t REG_SZ /d "javaw.exe" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Application Name" /t REG_SZ /d "javaw.exe" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Protocol" /t REG_SZ /d "*" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Protocol" /t REG_SZ /d "*" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Local Port" /t REG_SZ /d "*" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Local Port" /t REG_SZ /d "*" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Local IP" /t REG_SZ /d "*" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Local IP" /t REG_SZ /d "*" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Remote Port" /t REG_SZ /d "*" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Remote Port" /t REG_SZ /d "*" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Remote IP" /t REG_SZ /d "*" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Remote IP" /t REG_SZ /d "*" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "DSCP Value" /t REG_SZ /d "46" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "DSCP Value" /t REG_SZ /d "46" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Throttle Rate" /t REG_SZ /d "-1" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\javaw.exe" /v "Throttle Rate" /t REG_SZ /d "-1" /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Version" /t REG_SZ /d "1.0" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Version" /t REG_SZ /d "1.0" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Application Name" /t REG_SZ /d "FortniteClient-Win64-Shipping.exe" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Application Name" /t REG_SZ /d "FortniteClient-Win64-Shipping.exe" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Protocol" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Protocol" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Local Port" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Local Port" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Local IP" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Local IP" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Remote Port" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Remote Port" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Remote IP" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Remote IP" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "DSCP Value" /t REG_SZ /d "46" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "DSCP Value" /t REG_SZ /d "46" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Throttle Rate" /t REG_SZ /d "-1" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\FortniteClient-Win64-Shipping.exe" /v "Throttle Rate" /t REG_SZ /d "-1" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Version" /t REG_SZ /d "1.0" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Version" /t REG_SZ /d "1.0" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Application Name" /t REG_SZ /d "Valorant-Win64-Shipping.exe" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Application Name" /t REG_SZ /d "Valorant-Win64-Shipping.exe" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Protocol" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Protocol" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Local Port" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Local Port" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Local IP" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Local IP" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Remote Port" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Remote Port" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Remote IP" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Remote IP" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "DSCP Value" /t REG_SZ /d "46" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "DSCP Value" /t REG_SZ /d "46" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Throttle Rate" /t REG_SZ /d "-1" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\Valorant-Win64-Shipping.exe" /v "Throttle Rate" /t REG_SZ /d "-1" /f4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SYSTEM32\powercfg.exe"powercfg" /import "C:\Solar Lite V2\Applications\Core.pow" 945fe57c-e762-487e-984a-4e9213d9e9d73⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\powercfg.exe"powercfg" /setactive 945fe57c-e762-487e-984a-4e9213d9e9d73⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c takeown /f "C:\Windows\system32\drivers\Acpidev.sys"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\drivers\Acpidev.sys"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c icacls "C:\Windows\system32\drivers\Acpidev.sys" /grant "Admin":F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\Acpidev.sys" /grant "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c takeown /f "C:\Windows\system32\drivers\Acpipagr.sys"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\drivers\Acpipagr.sys"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c icacls "C:\Windows\system32\drivers\Acpipagr.sys" /grant "Admin":F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\Acpipagr.sys" /grant "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c takeown /f "C:\Windows\system32\drivers\Acpitime.sys"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\drivers\Acpitime.sys"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c icacls "C:\Windows\system32\drivers\Acpitime.sys" /grant "Admin":F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\Acpitime.sys" /grant "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c takeown /f "C:\Windows\system32\drivers\Acpipmi.sys"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\drivers\Acpipmi.sys"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c icacls "C:\Windows\system32\drivers\Acpipmi.sys" /grant "Admin":F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\Acpipmi.sys" /grant "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Solar Lite V2\Applications\Nvidia Profile Inspector\nvidiaProfileInspector.exe"C:\Solar Lite V2\Applications\Nvidia Profile Inspector\nvidiaProfileInspector.exe" "C:\Solar Lite V2\Applications\Nvidia Profile Inspector\Config\NPIConfig.nip"3⤵
- Executes dropped EXE
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path Win32_VideoController get PNPDeviceID3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\kr2tosug.024\jwjpmara.tyf.bat"3⤵
-
C:\Windows\system32\fltMC.exefltmc4⤵
-
-
C:\Windows\system32\tasklist.exetasklist /fi "ImageName eq OneDrive.exe" /fo csv4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\find.exefind /i "OneDrive.exe"4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$keyName = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'; $valueName = 'OneDrive'; $hive = $keyName.Split('\')[0]; $path = """$($hive):$($keyName.Substring($hive.Length))"""; Write-Host """Removing the registry value '$valueName' from '$path'."""; if (-Not (Test-Path -LiteralPath $path)) { Write-Host 'Skipping, no action needed, registry key does not exist.'; Exit 0; }; $existingValueNames = (Get-ItemProperty -LiteralPath $path).PSObject.Properties.Name; if (-Not ($existingValueNames -Contains $valueName)) { Write-Host 'Skipping, no action needed, registry value does not exist.'; Exit 0; }; try { if ($valueName -ieq '(default)') { Write-Host 'Removing the default value.'; $(Get-Item -LiteralPath $path).OpenSubKey('', $true).DeleteValue(''); } else { Remove-ItemProperty -LiteralPath $path -Name $valueName -Force -ErrorAction Stop; }; Write-Host 'Successfully removed the registry value.'; } catch { Write-Error """Failed to remove the registry value: $($_.Exception.Message)"""; }"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\OneDriveSetup.exe"C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\OneDriveSetup.exe"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-493223053-2004649691-1575712786-10005⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\OneDriveSetup.exeC:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV25⤵
- Modifies system executable filetype association
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall6⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = """$($directoryGlob = 'C:\Users\Admin\OneDrive*'; if (-Not $directoryGlob.EndsWith('\')) { $directoryGlob += '\' }; $directoryGlob )"""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host """Searching for items matching pattern: `"""$($expandedPath)`"""."""; $deletedCount = 0; $failedCount = 0; $oneDriveUserFolderPattern = [System.Environment]::ExpandEnvironmentVariables('C:\Users\Admin\OneDrive') + '*'; while ($true) { <# Loop to control the execution of the subsequent code #>; try { $userShellFoldersRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'; if (-not (Test-Path $userShellFoldersRegistryPath)) { Write-Output """Skipping verification: The registry path for user shell folders is missing: `"""$userShellFoldersRegistryPath`""""""; break; }; $userShellFoldersRegistryKeys = Get-ItemProperty -Path $userShellFoldersRegistryPath; $userShellFoldersEntries = @($userShellFoldersRegistryKeys.PSObject.Properties); if ($userShellFoldersEntries.Count -eq 0) { Write-Warning """Skipping verification: No entries found for user shell folders in the registry: `"""$userShellFoldersRegistryPath`""""""; break; }; Write-Output """Initiating verification: Checking if any of the ${userShellFoldersEntries.Count} user shell folders point to the OneDrive user folder pattern ($oneDriveUserFolderPattern)."""; $userShellFoldersInOneDrive = @(); foreach ($registryEntry in $userShellFoldersEntries) { $userShellFolderName = $registryEntry.Name; $userShellFolderPath = $registryEntry.Value; if (!$userShellFolderPath) { Write-Output """Skipping: The user shell folder `"""$userShellFolderName`""" does not have a defined path."""; continue; }; $expandedUserShellFolderPath = [System.Environment]::ExpandEnvironmentVariables($userShellFolderPath); if(-not ($expandedUserShellFolderPath -like $oneDriveUserFolderPattern)) { continue; }; $userShellFoldersInOneDrive += [PSCustomObject]@{ Name = $userShellFolderName; Path = $expandedUserShellFolderPath }; }; if ($userShellFoldersInOneDrive.Count -gt 0) { $warningMessage = 'To keep your computer running smoothly, OneDrive user folder will not be deleted.'; $warningMessage += """`nIt's being used by the OS as a user shell directory for the following folders:"""; $userShellFoldersInOneDrive.ForEach( { $warningMessage += """`n- $($_.Name): $($_.Path)"""; }); Write-Warning $warningMessage; exit 0; }; Write-Output """Successfully verified that none of the $($userShellFoldersEntries.Count) user shell folders point to the OneDrive user folder pattern."""; break; } catch { Write-Warning """An error occurred during verification of user shell folders. Skipping prevent potential issues. Error: $($_.Exception.Message)"""; exit 0; }; }; $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try { $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try { $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host """Initiating processing of $($foundAbsolutePaths.Count) items from `"""$expandedPath`"""."""; foreach ($path in $foundAbsolutePaths) { try { if (Test-Path -Path $path -PathType Leaf) { Write-Warning """Retaining file `"""$path`""" to safeguard your data."""; continue; } elseif (Test-Path -Path $path -PathType Container) { if ((Get-ChildItem """$path""" -Recurse | Measure-Object).Count -gt 0) { Write-Warning """Preserving non-empty folder `"""$path`""" to protect your files."""; continue; }; }; } catch { Write-Warning """An error occurred while processing `"""$path`""". Skipping to protect your data. Error: $($_.Exception.Message)"""; continue; }; if (-not (Test-Path $path)) { <# Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). #>; Write-Host """Successfully deleted: $($path) (already deleted)."""; $deletedCount++; continue; }; try { Remove-Item -Path $path -Force -Recurse -ErrorAction Stop; $deletedCount++; Write-Host """Successfully deleted: $($path)"""; } catch { $failedCount++; Write-Warning """Unable to delete $($path): $_"""; }; }; Write-Host """Successfully deleted $($deletedCount) items."""; if ($failedCount -gt 0) { Write-Warning """Failed to delete $($failedCount) items."""; }"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = """$($directoryGlob = 'C:\Users\Admin\AppData\Local\Microsoft\OneDrive'; if (-Not $directoryGlob.EndsWith('\')) { $directoryGlob += '\' }; $directoryGlob )"""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host """Searching for items matching pattern: `"""$($expandedPath)`"""."""; <# Not using `Get-Acl`/`Set-Acl` to avoid adjusting token privileges #>; $parentDirectory = [System.IO.Path]::GetDirectoryName($expandedPath); $fileName = [System.IO.Path]::GetFileName($expandedPath); if ($parentDirectory -like '*[*?]*') { throw """Unable to grant permissions to glob path parent directory: `"""$parentDirectory`""", wildcards in parent directory are not supported by ``takeown`` and ``icacls``."""; }; if (($fileName -ne '*') -and ($fileName -like '*[*?]*')) { throw """Unable to grant permissions to glob path file name: `"""$fileName`""", wildcards in file name is not supported by ``takeown`` and ``icacls``."""; }; Write-Host """Taking ownership of `"""$expandedPath`"""."""; $cmdPath = $expandedPath; if ($cmdPath.EndsWith('\')) { $cmdPath += '\' <# Escape trailing backslash for correct handling in batch commands #>; }; $takeOwnershipCommand = """takeown /f `"""$cmdPath`""" /a""" <# `icacls /setowner` does not succeed, so use `takeown` instead. #>; if (-not (Test-Path -Path """$expandedPath""" -PathType Leaf)) { $localizedYes = 'Y' <# Default 'Yes' flag (fallback) #>; try { $choiceOutput = cmd /c """choice <nul 2>nul"""; if ($choiceOutput -and $choiceOutput.Length -ge 2) { $localizedYes = $choiceOutput[1]; } else { Write-Warning """Failed to determine localized 'Yes' character. Output: `"""$choiceOutput`""""""; }; } catch { Write-Warning """Failed to determine localized 'Yes' character. Error: $_"""; }; $takeOwnershipCommand += """ /r /d $localizedYes"""; }; $takeOwnershipOutput = cmd /c """$takeOwnershipCommand 2>&1""" <# `stderr` message is misleading, e.g. """ERROR: The system cannot find the file specified.""" is not an error. #>; if ($LASTEXITCODE -eq 0) { Write-Host """Successfully took ownership of `"""$expandedPath`""" (using ``$takeOwnershipCommand``)."""; } else { Write-Host """Did not take ownership of `"""$expandedPath`""" using ``$takeOwnershipCommand``, status code: $LASTEXITCODE, message: $takeOwnershipOutput."""; <# Do not write as error or warning, because this can be due to missing path, it's handled in next command. #>; <# `takeown` exits with status code `1`, making it hard to handle missing path here. #>; }; Write-Host """Granting permissions for `"""$expandedPath`"""."""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminAccountName = $adminAccount.Value; $grantPermissionsCommand = """icacls `"""$cmdPath`""" /grant `"""$($adminAccountName):F`""" /t"""; $icaclsOutput = cmd /c """$grantPermissionsCommand"""; if ($LASTEXITCODE -eq 3) { Write-Host """Skipping, no items available for deletion according to: ``$grantPermissionsCommand``."""; exit 0; } elseif ($LASTEXITCODE -ne 0) { Write-Host """Take ownership message:`n$takeOwnershipOutput"""; Write-Host """Grant permissions:`n$icaclsOutput"""; Write-Warning """Failed to assign permissions for `"""$expandedPath`""" using ``$grantPermissionsCommand``, status code: $LASTEXITCODE."""; } else { $fileStats = $icaclsOutput | ForEach-Object { $_ -match '\d+' | Out-Null; $matches[0] } | Where-Object { $_ -ne $null } | ForEach-Object { [int]$_ }; if ($fileStats.Count -gt 0 -and ($fileStats | ForEach-Object { $_ -eq 0 } | Where-Object { $_ -eq $false }).Count -eq 0) { Write-Host """Skipping, no items available for deletion according to: ``$grantPermissionsCommand``."""; exit 0; } else { Write-Host """Successfully granted permissions for `"""$expandedPath`""" (using ``$grantPermissionsCommand``)."""; }; }; $deletedCount = 0; $failedCount = 0; $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try { $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try { $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host """Initiating processing of $($foundAbsolutePaths.Count) items from `"""$expandedPath`"""."""; foreach ($path in $foundAbsolutePaths) { if (-not (Test-Path $path)) { <# Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). #>; Write-Host """Successfully deleted: $($path) (already deleted)."""; $deletedCount++; continue; }; try { Remove-Item -Path $path -Force -Recurse -ErrorAction Stop; $deletedCount++; Write-Host """Successfully deleted: $($path)"""; } catch { $failedCount++; Write-Warning """Unable to delete $($path): $_"""; }; }; Write-Host """Successfully deleted $($deletedCount) items."""; if ($failedCount -gt 0) { Write-Warning """Failed to delete $($failedCount) items."""; }"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "choice <nul 2>nul"5⤵
-
C:\Windows\system32\choice.exechoice6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Power Settings
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Indicator Removal
1File Deletion
1Modify Registry
1Virtualization/Sandbox Evasion
2Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
6System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
535KB
MD5ff5f39370b67a274cb58ba7e2039d2e2
SHA13020bb33e563e9efe59ea22aa4588bed5f1b2897
SHA2561233487ea4db928ee062f12b00a6eda01445d001ab55566107234dea4dc65872
SHA5127decec37c80d1d5ad6296d737d5d16c4fc92353a3ae4bd083c4a7b267bb6073a53d9f6152b20f9b5e62ba6c93f76d08f813812a83ce164db4c91107d7ad5a95f
-
Filesize
2.3MB
MD559d3719b61ed26aa4a9561a9f9d58280
SHA1f5e74f35c065dc4d72da201013d8ee7c64e5c4fc
SHA256b8c421d04c27c96c4f8e8a83378fb1aa6a27b7df8b3c2343d1a3cdf33d479348
SHA512af8c1be395c38cfec9f36df2758f72cf1cba1e1ec14bd45d2221ac032d2211fdb29fbdf031edeb194a76960a517e412f7b3d07042d5c7b4097345fa9f9f60cf1
-
Filesize
3.7MB
MD5197fd1a92ba6e109c6c13929604ec4b8
SHA1a93e932c96057ba0aadb92b2a91250f1a0c30df3
SHA2561a482b3d1b9e47de8096ac568abf8123f69457df5f77c6f3576183e19cb3f1cb
SHA512c2c6b3f1ef6a09f68459cca4d2946d827c826235e76ef6015a3bc8581b33338b884b7874620c94f8a44f1051fcfefbf2e8ad52ae967b1746c7c6584519acab68
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5e48aa969afe288ca956d579c869cb78b
SHA13cf9f9450e8fa846c8e731e66f85041624e98541
SHA256290aab67e5610ce1c517e843cefb2e22bfb602f659595a9c6cf8511da46d86b2
SHA51235fed558bf712def61ff7e959abbded2ea7c6cf030eea80abb50d3a153768dcf728c386b2f7004c84991b141c6fe08a2590519f5177304a7f1e64f594ec05005
-
Filesize
1KB
MD5331841fe482ffe8b1cc1509733d8ca67
SHA11e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8
SHA25614112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f
SHA512039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9
-
Filesize
1KB
MD5a853f7647670887c55676c36df6e647a
SHA17c77be5d6f2bf9d7d07e23296b6ace620f94369f
SHA256eb078aa34c1237938571c324b87db1fc5c8f03b9a008a12246fe934e711df74e
SHA512c96bdcb6aef1d6c52c9f67fada05ec72a295bd5ca5d236cb4226861732022aa19e7d2be4439e2bbaedf6bec653e0b693ddee96cd607f68d647d143e873ac6157
-
Filesize
2KB
MD57702e6f972da8282439d971405cf987d
SHA1d08fec359da1624de08027357ebbb1bb2bae173f
SHA256926d69eecba3ed3213102bf1d186dccd95bf3b47fe845127a9bd24ff82cc65da
SHA512c513a71f419f4a0dddd943d8b8e0a89cfeb0320ec1472b0575e67a1a0e68bf50d072a51007585c43956038f32665807b179141a09dd32fccaac5dc94444efee3
-
Filesize
1KB
MD55e133f7e0bda6ac40b71815412b45ec2
SHA1e4d21dfc35ffa0e5c29c33d8c01edd1ca04fe5ff
SHA2562b6c44fbe22878462096a45ef082a6b9a61df337b1ed2bfa64972d05dcbd0665
SHA512785a8dc12901bf6e002468a6d194b1765e6fa97dda543eb7e4708308c56e764aae253c84920f8280d640dff7bb202174980bbd92145e25f8753a5ae840bbf096
-
Filesize
2KB
MD5bdfb2334fc04dd222e666699c8e27f60
SHA16a0687f1dd4e2622e9d0ac0875663ab778991796
SHA25626c2b1dab8358a597909d377ba7acc6bdba8d405231732ba1817c166328774a9
SHA5129247ef3b22b0ab93671bd2a5c614ad8574df7572c2b9904fa108e410638ba1ba384a3647493c46a3137d03c5a8c9778d1fdd4bbe75fd169eda079329eb660e78
-
Filesize
3KB
MD5469beccff81d7d395eee09926e74db66
SHA1c6178f7abeaa79b4879f7d60e4bd155c6025156c
SHA25668ea4f9ca1ad9cefbee9a769c15c6d1fa66a580c6a3483d2d6d3ac67c931616b
SHA5128cca56b8135a1738f453de765779fb129d51637360d0784459aaa6c5757477567c529ab212e11ab4a9d9cd8460b9995e59298057990b446aa88dfa30544addcc
-
Filesize
2KB
MD5ec16ee3757a4c49f4d264cea8c033ba9
SHA195cfec096ab8f545dd2d390beb9e32abebbfee39
SHA2568a68b8538a04f334e96bb52fd39eb1546ca916564bdcb8daf5daf2919d51f62f
SHA5126b355a3a718c658c6d795c4d1964071c5b5868c5750960e0d60c44af1d8480376b5ccba7fb995d6d10da740297f8de42eda957535a0cf534ecbaa64c40696325
-
Filesize
2KB
MD519c9802c3c8fe0893abd3a40509f4351
SHA15c6bdf98959b09e2210eef93015a44e9550cf98a
SHA256971d7d1928375c469b2d8fb7e52a033903c3a9fc95f802556eaf4a3e389885a8
SHA5122a9b7b7da14a4a22a0bf14f85a7283006ec66a74de6b99af70d431c4a4a2c23a63b5092a02d8a7f643c5cf579dfb1d57f9713360c05528b42ef2a273c737ae8f
-
Filesize
3KB
MD5718c38a7adba59f1f85ea6329b7692fc
SHA1dea72fa79504eca2fdf2256b877cde6a145c9e0b
SHA256d66de4c8f3d99f4d79918a6f644e8779743b9c781d27f4490d870170d74df221
SHA512997534338f086bfca47edf8696bd2079a973a9dd309087a599c07837aa4d1c02ca88ef4d7b77f993e8f82856b8b02ecfc3171e5eb8cdbaf60d26f957da1676db
-
Filesize
2KB
MD5d2e50e52d925ec8b08433a071a0336ff
SHA1e567ff27e9dcb3711ceb29c113d3ce79503f3578
SHA25662349e567794295d18056b71a7360cd185e5f81ac44a2112c5739ed733fccd51
SHA51201ab734e871b6632bbf12e26b44360d5e3e98b02a4ff89ac40f87af4015f5928118daa5d3d5da71864b124739a821e34f0e55b67bf85e6f43262c7abe17dc680
-
Filesize
2KB
MD5395003bdf07bb92612419954883d9f25
SHA18958d30f97794d11689f71dd80a87d6aaf8800b8
SHA256097aa4f54784f9a7a4447d9520b135d6dc7f3cd87c8f63624c2c86c6ccfbbf9a
SHA5126fe079d9e4116a68377a3206d5501c5da68f7f5c936acd1ad3f80132d3a3c050061093804e037f2b3e1e1d04fe97fa047a4b7dc776b356c0ad6f93908566e5fe
-
Filesize
3KB
MD564a26da97e6bd7f6f18d19eb956cb556
SHA162ab86e4fcb6dd7b3695357bf9310b9af6629d6e
SHA256f4e33a187f11f1b23160d2888157217056170ac81bb1bd0930dac3abc43b0cb0
SHA512965a0a6a3ba90bb668540b0fd1975dd28dab519aa5b7394e326cbc75d7ec875b3354a7d4e7a73409aa38671d59abdd4f27a1707892651c4aa7190cecf66000af
-
Filesize
1KB
MD533799953b6dd2f0e79bda10d56335a9c
SHA1373f0ecf024e70296f057f3ef122812cf9750da4
SHA25651b064a15a66b8eaab940fa32a5b900d9f321ccc48d2ef99c96b7ff03f9fb88c
SHA512e10daa79a61d7287ce37f0ff8926280f09bbb8bbd652ebf7ec5cb87bb11d884aa7a0550b1bfae144922152f3063b698b27fa5d117b0b90383e704d49905e5df4
-
Filesize
1KB
MD5a7290b772b41b193f98f5911d2587a67
SHA13ddfd22723568c38ecabb138d042708c63adc847
SHA25608723c25a3f4120906f1101cdc7b93ffed940548ea5a5b3896928682f943f766
SHA5128264ec5a1aa3be90e0228eb3d6d53d882cd5fb84431debceea291dae0781ff8082c87b0e4f528b0b5de9d930b5e9368f2d4c0b2bca225cca733a2e1d549b0117
-
Filesize
1KB
MD5778538ae77245ff9796364cf91331f27
SHA12af291e0ddea8749c5706dc3cbe61c76d2f51d89
SHA25637fa1ad46805f99e3ed0b91a9a2297df21a1ee113f2cc09fc38e0a51667abfbf
SHA512956f2a306182468da22d4c92cf8c051c065c5ee31c1378118b2c6bbcac1ab5c9832566e38a43263d83a8aaef08ed166e22bec347f6d5bc3d4b1bdcb3e366f17d
-
Filesize
2KB
MD5e6c40864d6b1ba622e3693054821f8e3
SHA1e961659ac7a5a997de4c5b03f85fca2375ef4ca7
SHA25617e064ea335f1d1142684f84e3bae7118af150d501a00b551c5f74cec9e276ca
SHA512286b29a32cad9515b7967eee7111b52837420cdbd6fec539686796d3b33ba8d29bbe5ee3bc17e993c4fdf76f4e7822aa36b102872e30383cebcefa828c0475f3
-
Filesize
2KB
MD5e49a28bef4bf146b3b3ccefd5af012dc
SHA1f492f22b32373780fd55d09260144f7306e45968
SHA256f8d2f615de122c6b82282eecb4863d509cdc4f7bea95a55c59178200ec6cd2f0
SHA512a2f1259aefecb921a232822be29cff498ef4755d2f2e7f610d3e4394eea901da8ddc77a34c5ec6ecc0a1dd6bb31ba2f3418a25374674f1734f97a4a79d25d815
-
Filesize
1KB
MD5cee0b6e08a8b33d43737f8e7986d963a
SHA132047e66ed75418ae7cec2e541eefc9b563b02c6
SHA25698e41d486d7f2acfb7b58a7cfbfdc6df511ea6b6c7ae2bf9b0acfd9fd21fe8ea
SHA5123fc5a1659962964be3e40d1ccb8d20312239530a28dec99f97694f1671d2cffd713836e356cf2f365702ceb13444500ec725d4f3daf8abf633753e7deed73e01
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
470B
MD58c32a9e3b38c6c71f9917c1fa447b49f
SHA10bea8c99bc0dd070f22ec09e329b94926fbd15b8
SHA256c0f7a93f20634629d4dbfd60cd4eae87f11fbd2fd363c14408c36c43ab6405b3
SHA5124ea62b27b3772194f42c7d50971ecfcc15c8ae25897a4748cb14891a8fac1632edb62218d3ae721f0f9e4de1f5d990337caf9ed92f4fc085a69aa79e9f5cbe57
-
Filesize
470B
MD5668b2df5d8463e089d4c614984db71a8
SHA1c99edf7138ca2807b61bcb7ec40fb87588c0e8e8
SHA256b34632436568742539f659b3c9987c6cf76f0202cf0310ea5d60f43d12453322
SHA51248770a9332b5897feae317032c20ca38c5fd050062ce4edf8f44b2f0b19d766fcb253dacc60c36a5233b75ae10b393c13239c3250881f1e9fcb330a2dd009b75
-
Filesize
29KB
MD592a61b4c6756f12d8a7fc8fb36129d24
SHA1519df35480e8f83616aa89038ff8e2c95f80086c
SHA256b9002d8e1a14a1adab816c8b7e7eed921594d8ff2722f01423e79a583f54c54e
SHA51217c555d3f520986c2416e425734120bbc4dd8046a11ab771eae491be6c42dee3254970c373969b48b50717472ff93f686555d0b770debb49c576a32fda1bebda
-
Filesize
25.9MB
MD5bd2866356868563bd9d92d902cf9cc5a
SHA1c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b
SHA2566676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb
SHA5125eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27
-
Filesize
560KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
3.7MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
152KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
864KB
-
Filesize
3.0MB
-
Filesize
136KB