hxxps://drive[.]google[.]com/drive/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM

Analysis

max time kernel
132s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20241007-de
resource tags

arch:x64arch:x86image:win11-20241007-delocale:de-deos:windows11-21h2-x64systemwindows
submitted
07-01-2025 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM

Score

10^/10

discovery evasion execution persistence ransomware

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	SystemPropertiesPerformance.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SystemPropertiesPerformance.exe

Modifies boot configuration data using bcdedit 1 TTPs 7 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4824	bcdedit.exe
2672	bcdedit.exe
2052	bcdedit.exe
1244	bcdedit.exe
1208	bcdedit.exe
2108	bcdedit.exe
4516	bcdedit.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
3600	nvidiaProfileInspector.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
2	drive.google.com
5	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
680	powershell.exe
2028	powershell.exe
1992	powershell.exe
3176	powershell.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1208	timeout.exe
4196	timeout.exe
1756	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\EXM Free Tweaking Utility V7.1.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1816	msedge.exe
1816	msedge.exe
3664	msedge.exe
3664	msedge.exe
2096	msedge.exe
2096	msedge.exe
4984	identity_helper.exe
4984	identity_helper.exe
5040	msedge.exe
5040	msedge.exe
680	powershell.exe
680	powershell.exe
680	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
2028	powershell.exe
2028	powershell.exe
2028	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe
1992	powershell.exe
1992	powershell.exe
3176	powershell.exe
3176	powershell.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeIncreaseQuotaPrivilege	3712	WMIC.exe
Token: SeSecurityPrivilege	3712	WMIC.exe
Token: SeTakeOwnershipPrivilege	3712	WMIC.exe
Token: SeLoadDriverPrivilege	3712	WMIC.exe
Token: SeSystemProfilePrivilege	3712	WMIC.exe
Token: SeSystemtimePrivilege	3712	WMIC.exe
Token: SeProfSingleProcessPrivilege	3712	WMIC.exe
Token: SeIncBasePriorityPrivilege	3712	WMIC.exe
Token: SeCreatePagefilePrivilege	3712	WMIC.exe
Token: SeBackupPrivilege	3712	WMIC.exe
Token: SeRestorePrivilege	3712	WMIC.exe
Token: SeShutdownPrivilege	3712	WMIC.exe
Token: SeDebugPrivilege	3712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3712	WMIC.exe
Token: SeRemoteShutdownPrivilege	3712	WMIC.exe
Token: SeUndockPrivilege	3712	WMIC.exe
Token: SeManageVolumePrivilege	3712	WMIC.exe
Token: 33	3712	WMIC.exe
Token: 34	3712	WMIC.exe
Token: 35	3712	WMIC.exe
Token: 36	3712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3712	WMIC.exe
Token: SeSecurityPrivilege	3712	WMIC.exe
Token: SeTakeOwnershipPrivilege	3712	WMIC.exe
Token: SeLoadDriverPrivilege	3712	WMIC.exe
Token: SeSystemProfilePrivilege	3712	WMIC.exe
Token: SeSystemtimePrivilege	3712	WMIC.exe
Token: SeProfSingleProcessPrivilege	3712	WMIC.exe
Token: SeIncBasePriorityPrivilege	3712	WMIC.exe
Token: SeCreatePagefilePrivilege	3712	WMIC.exe
Token: SeBackupPrivilege	3712	WMIC.exe
Token: SeRestorePrivilege	3712	WMIC.exe
Token: SeShutdownPrivilege	3712	WMIC.exe
Token: SeDebugPrivilege	3712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3712	WMIC.exe
Token: SeRemoteShutdownPrivilege	3712	WMIC.exe
Token: SeUndockPrivilege	3712	WMIC.exe
Token: SeManageVolumePrivilege	3712	WMIC.exe
Token: 33	3712	WMIC.exe
Token: 34	3712	WMIC.exe
Token: 35	3712	WMIC.exe
Token: 36	3712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	992	WMIC.exe
Token: SeSecurityPrivilege	992	WMIC.exe
Token: SeTakeOwnershipPrivilege	992	WMIC.exe
Token: SeLoadDriverPrivilege	992	WMIC.exe
Token: SeSystemProfilePrivilege	992	WMIC.exe
Token: SeSystemtimePrivilege	992	WMIC.exe
Token: SeProfSingleProcessPrivilege	992	WMIC.exe
Token: SeIncBasePriorityPrivilege	992	WMIC.exe
Token: SeCreatePagefilePrivilege	992	WMIC.exe
Token: SeBackupPrivilege	992	WMIC.exe
Token: SeRestorePrivilege	992	WMIC.exe
Token: SeShutdownPrivilege	992	WMIC.exe
Token: SeDebugPrivilege	992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	992	WMIC.exe
Token: SeRemoteShutdownPrivilege	992	WMIC.exe
Token: SeUndockPrivilege	992	WMIC.exe
Token: SeManageVolumePrivilege	992	WMIC.exe
Token: 33	992	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3984	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 3428	3664	msedge.exe	77
PID 3664 wrote to memory of 3428	3664	msedge.exe	77
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 3868	3664	msedge.exe	78
PID 3664 wrote to memory of 1816	3664	msedge.exe	79
PID 3664 wrote to memory of 1816	3664	msedge.exe	79
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80
PID 3664 wrote to memory of 3656	3664	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff265d3cb8,0x7fff265d3cc8,0x7fff265d3cd8
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,15427477569846682737,2979063164741730427,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1132 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2852

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\EXM Free Tweaking Utility V7.1\EXM Free Tweaking Utility V7.1.cmd"
1⤵
PID:1552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  PID:4676
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    PID:2596
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:4700
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:556
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1208
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4196
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1136
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:1780
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:4672
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2052
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloading resources (power plan, Nvidia profile inspector & more, Press "OK" To continue)', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2980
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4704
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://exmapi.onrender.com/static/free/v5.0/v5.0_free_resources.zip"
  2⤵
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\exm'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloaded resources successfully, Press "OK" To continue to the menu:Information);}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2860
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:832
- C:\Windows\system32\timeout.exe
  timeout 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1756
- C:\exm\v5.0_free_resources\nvidiaProfileInspector.exe
  "C:\exm\v5.0_free_resources\NvidiaProfileInspector.exe" "C:\exm\v5.0_free_resources\Free NVPI EXM Profile V6.nip"
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "PreferSystemMemoryContiguous" /t REG_DWORD /d "1" /f
  2⤵
  PID:1160
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "DisableWriteCombining" /t REG_DWORD /d "1" /f
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID
  2⤵
  PID:2484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\%i\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Enum\%i\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MessageNumberLimit" /f
  2⤵
  PID:3368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\%i\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID| findstr /L "PCI\VEN_"
  2⤵
  PID:3228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\system32\findstr.exe
    findstr /L "PCI\VEN_"
    3⤵
    PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg.exe query "HKLM\SYSTEM\ControlSet001\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08" /v "Driver"
  2⤵
  PID:4676
- - C:\Windows\system32\reg.exe
    Reg.exe query "HKLM\SYSTEM\ControlSet001\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08" /v "Driver"
    3⤵
    PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo [97m- {4d36e968-e325-11ce-bfc1-08002be10318}\0000 | findstr "{"
  2⤵
  PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo [97m- {4d36e968-e325-11ce-bfc1-08002be10318}\0000 "
    3⤵
    PID:4548
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:4236
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\ControlSet001\Control\Class\[97m-" /v "RMHdcpKeyglobZero" /t REG_DWORD /d "1" /f
  2⤵
  PID:1580
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "GPUPreemptionLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:1504
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "ComputePreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableMidGfxPreemptionVGPU" /t REG_DWORD /d "0" /f
  2⤵
  PID:3704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableMidBufferPreemptionForHighTdrTimeout" /t REG_DWORD /d "0" /f
  2⤵
  PID:2208
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableAsyncMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:3748
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableSCGMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:4292
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "PerfAnalyzeMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableMidGfxPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:3152
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableMidBufferPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:3788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "EnableCEPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisableCudaContextPreemption" /t REG_DWORD /d "1" /f
  2⤵
  PID:1780
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "DisablePreemptionOnS3S4" /t REG_DWORD /d "1" /f
  2⤵
  PID:2544
- C:\Windows\system32\fsutil.exe
  fsutil behavior query memoryusage
  2⤵
  PID:2260
- C:\Windows\system32\fsutil.exe
  fsutil behavior set memoryusage 2
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "D3PCLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:3448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "F1TransitionLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:4708
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "LOWLATENCY" /t REG_DWORD /d "1" /f
  2⤵
  PID:1248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "Node3DLowLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:3892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "PciLatencyTimerControl" /t REG_DWORD /d "20" /f
  2⤵
  PID:4088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMDeepL1EntryLatencyUsec" /t REG_DWORD /d "1" /f
  2⤵
  PID:4848
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmGspcMaxFtuS" /t REG_DWORD /d "1" /f
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmGspcMinFtuS" /t REG_DWORD /d "1" /f
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RmGspcPerioduS" /t REG_DWORD /d "1" /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMLpwrEiIdleThresholdUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:3088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMLpwrGrIdleThresholdUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:896
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMLpwrGrRgIdleThresholdUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:4988
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "RMLpwrMsIdleThresholdUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:1560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "VRDirectFlipDPCDelayUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "VRDirectFlipTimingMarginUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "VRDirectJITFlipMsHybridFlipDelayUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "vrrCursorMarginUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:3600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "vrrDeflickerMarginUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:1276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "vrrDeflickerMaxUs" /t REG_DWORD /d "1" /f
  2⤵
  PID:856
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NvBackend" /f
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d "0" /f
  2⤵
  PID:2808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d "0" /f
  2⤵
  PID:3368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d "0" /f
  2⤵
  PID:2140
- C:\Windows\system32\schtasks.exe
  schtasks /change /Disable /tn "NvTmRep_CrashReport1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
  2⤵
  PID:3760
- C:\Windows\system32\schtasks.exe
  schtasks /change /Disable /tn "NvTmRep_CrashReport2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
  2⤵
  PID:4696
- C:\Windows\system32\schtasks.exe
  schtasks /change /Disable /tn "NvTmRep_CrashReport3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
  2⤵
  PID:1048
- C:\Windows\system32\schtasks.exe
  schtasks /change /Disable /tn "NvTmRep_CrashReport4_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
  2⤵
  PID:4936
- C:\Windows\system32\schtasks.exe
  schtasks /change /Disable /tn "NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
  2⤵
  PID:3792
- C:\Windows\system32\schtasks.exe
  schtasks /change /Disable /tn "NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
  2⤵
  PID:4876
- C:\Windows\system32\schtasks.exe
  schtasks /change /Disable /tn "NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"
  2⤵
  PID:1136
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4724
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:912
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption" /t REG_DWORD /d "1" /f
  2⤵
  PID:3616
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption" /t REG_DWORD /d "1" /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4" /t REG_DWORD /d "1" /f
  2⤵
  PID:4636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption" /t REG_DWORD /d "0" /f
  2⤵
  PID:2984
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:892
- C:\Windows\system32\bcdedit.exe
  bcdedit /set Disabledynamictick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4824
- C:\Windows\system32\bcdedit.exe
  bcdedit /deletevalue useplatformclock
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2672
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformtick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2052
- C:\Windows\system32\fsutil.exe
  fsutil behavior set memoryusage 2
  2⤵
  PID:1040
- C:\Windows\system32\fsutil.exe
  fsutil behavior set mftzone 4
  2⤵
  PID:1564
- C:\Windows\system32\fsutil.exe
  fsutil behavior set Disablinglastaccess 1
  2⤵
  PID:4884
- C:\Windows\system32\fsutil.exe
  fsutil behavior set Disabledeletenotify 1
  2⤵
  PID:1124
- C:\Windows\system32\fsutil.exe
  fsutil behavior set encryptpagingfile 0
  2⤵
  PID:4992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f
  2⤵
  PID:1736
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "BackgroundPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f
  2⤵
  PID:4560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f
  2⤵
  PID:1360
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
  2⤵
  PID:3808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f
  2⤵
  PID:3176
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f
  2⤵
  PID:3352
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
  2⤵
  PID:2964
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "BackgroundPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
  2⤵
  PID:2916
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
  2⤵
  PID:1260
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f
  2⤵
  PID:4004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
  2⤵
  PID:2484
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
  2⤵
  PID:1364
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
  2⤵
  PID:992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
  2⤵
  PID:1280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
  2⤵
  PID:2332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:2596
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:3692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:4892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "1" /f
  2⤵
  PID:1272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:4600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4396
- C:\Windows\system32\bcdedit.exe
  bcdedit /set configaccesspolicy Default
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1244
- C:\Windows\system32\bcdedit.exe
  bcdedit /set MSI Default
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1208
- C:\Windows\system32\bcdedit.exe
  bcdedit /set usephysicaldestination No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2108
- C:\Windows\system32\bcdedit.exe
  bcdedit /set usefirmwarepcisettings No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4516
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
  2⤵
  PID:4496
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
  2⤵
  PID:2028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f
  2⤵
  PID:960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f
  2⤵
  PID:1992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:1780
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1296
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:1936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "1" /f
  2⤵
  PID:3448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:4528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:3720
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:2716
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:4088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f
  2⤵
  PID:3172
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:1360
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f
  2⤵
  PID:3088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:4800
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:5024
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f
  2⤵
  PID:484
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:1888
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
  2⤵
  PID:1260
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "Latency" /t REG_DWORD /d "1" /f
  2⤵
  PID:4004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f
  2⤵
  PID:2484
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
  2⤵
  PID:1364
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
  2⤵
  PID:992
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "122" /f
  2⤵
  PID:1136
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "58" /f
  2⤵
  PID:1148
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f
  2⤵
  PID:1424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f
  2⤵
  PID:4196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
  2⤵
  PID:1612
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
  2⤵
  PID:5036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
  2⤵
  PID:556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
  2⤵
  PID:3760
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:5004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f
  2⤵
  PID:1820
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "20" /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "20" /f
  2⤵
  PID:2108
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3308
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4788
- C:\Windows\system32\cleanmgr.exe
  cleanmgr.exe
  2⤵
  - Enumerates connected drives
  PID:1232
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2780
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Disable-MMAgent -MemoryCompression"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "16777216" /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f
  2⤵
  PID:1288
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Disable-MMAgent -PageCombining"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
  2⤵
  PID:3112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f
  2⤵
  PID:72
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablingPrefetcher" /t REG_DWORD /d "0" /f
  2⤵
  PID:2980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablingSuperfetch" /t REG_DWORD /d "0" /f
  2⤵
  PID:4036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d "0" /f
  2⤵
  PID:2136
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolQuota" /t REG_DWORD /d "0" /f
  2⤵
  PID:3228
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolSize" /t REG_DWORD /d "0" /f
  2⤵
  PID:1280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolQuota" /t REG_DWORD /d "0" /f
  2⤵
  PID:3792
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolSize" /t REG_DWORD /d "192" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d "1024" /f
  2⤵
  PID:2788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionPoolSize" /t REG_DWORD /d "192" /f
  2⤵
  PID:2228
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionViewSize" /t REG_DWORD /d "192" /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SystemPages" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:1180
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PhysicalAddressExtension" /t REG_DWORD /d "1" /f
  2⤵
  PID:128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
  2⤵
  PID:3344
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
  2⤵
  PID:1188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PoolUsageMaximum" /t REG_DWORD /d "96" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2096
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1580
- C:\Windows\system32\SystemPropertiesPerformance.exe
  C:\Windows\system32\SystemPropertiesPerformance.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  PID:5004
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bcfc8e0eb09f2f5ce5c513ba1cedcddd

SHA1
07084e2867aa739493935943f84d0a9f49ea46a5

SHA256
b3c39fc0a8ceaa5bbc6bf24fa656b0a750d1effd0a6ca2a78658752f3fe6e935

SHA512
60329381984c2df7c621a99128c6f950b7925643f39796d3fb7a474cdf9c90cb8cd28635b4fea34cefc5fbe34fcb478401a914887caeb03e8ef19fbb5ffacbe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3a6277a203a11992a95b49dd65fe0f26

SHA1
8c6c2f42aeaf6cc8719e2347f54ca7b58bf19d4d

SHA256
087a6b7718c89c768a5654df5a1fe9200531fdc5679fcbdc93f9b0ec2194a9c2

SHA512
0c1156e3625184ba674c256a7ec5b2327da5c57437a41d64421d1395091475e631c1430075626d7fc5be938241bc40b3a83117adba7b87e7257f7f0fd81bad49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
98b3b1f3bb5aa6d40ca7ddc5ac8777dc

SHA1
b98d23e8d178b0a0ac653d61dde582a46025c234

SHA256
12e147d55df8a197230bace8d3f6f1543cbd5010b68fb78bed7c27871014259c

SHA512
7ed77e267fc1581b945438785ce1e5bfefb8d52a2a265162b4ad2d39601d7ac091c8189780847d7487dd23721624d5e2613cc7e0124e98969a5f3873ec368246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d39888bce560f0440a531a68b617d36

SHA1
67deca2e8a452f3e12a06bf1057166268d3d12e9

SHA256
585ad5bcf4a58b7e29df3f2affbfbf851bb8d7c0f8a17aa8eea11a3bcb8b425c

SHA512
2cfaa4afdd86d42fcafbdd812c8c2ee43fcc01376c5f0938720d163cbb16b5d3ed18f2e4062537179e76d09cbada17ccc28ffb2679a554e7a2041532e17e2bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8f7fe9e14327b01567529ef6ae9eacfc

SHA1
9297b469b22128459a1493e188cab28701f079bb

SHA256
066102b37585f401dd591cabb44366ab5fadbf97a596ce46317847d0cfd2123c

SHA512
63dfeb49a4ae83059fb6242144f9034c53118a0cbefbf44db1d2c12331a284283249abd197c0cf09ecefc8fa2420654d52c44f68625c4d725925fd2e614d1b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bbc6e9e9d9c9f53e23cfdb3837dff65e

SHA1
395fce16c00c2b03e83f8d0fdb7ed8258e8df251

SHA256
e9ca6a2b3ffdc81e77a64c975cdef0b606b099912d7e2b223bebb00794c78ccd

SHA512
99859af6b411f5d25abcda5fa568b62d6c8cc02d3f73d6c24b392e5cd180ee910e803e306191d8f6a749af593dc709c5783b9bc1c3cf0434b631aababd920239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e00f.TMP

Filesize
874B

MD5
098c292471de44d7f5ab7462dd1f8ac5

SHA1
bfe14cff5dc076f9c0ad31afdd04d017581b7b4b

SHA256
420a7c089e2b4cb10fbf4a464737ed089d578ab5a1f73e3b65edb312c36f854e

SHA512
f1d09ed165735f15af0e5994b98c8a296ab164269c216b963b97178a5767f1f649cc79ada6904fe5f922d73804451286785d37152bf0f8771b3148be3aef2862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
171d3753740e5e319bc2a20cde642761

SHA1
f4d6dac87a68b06eb5d76b819f7480497c30f829

SHA256
728a11b87104c333718b77f142c2f142e4000790c3e1378369596a5733c38df1

SHA512
8539ea087befbc0173134b111a64c9cdbe4ac92c661588263e36216e87e15c698adca221222802847cd73c08677d2acbc71d40af9b5ef3e85a8660d36cefea99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa80c77dd2a2521e06beebbec8096df7

SHA1
953fcf5dc4d15a5442cc2de57e947b5fe7fd9f39

SHA256
3dcb35d946527842d57d36af7554a14f736c32a03d891b0813cc8a741b0e1f45

SHA512
50d61d22ae22acf8afb2c65edffead55467f774d009278e9bc8deeee7097f7025b5c9ef0367f17b2d44569abe67c8180233710032461c2a197be9c8e3e7cf659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9598b277fe6b7cf90bbbbcffe042b5de

SHA1
ccec371c8363662622145670a2bba7360bbbb59e

SHA256
a6045005178ebac88a78fe8e69c7a13a3e144a4a3dfe0b4db21fe312fcf73e0a

SHA512
e99eaf14a82a66859cd1b9e999c3bf4887b7ab7bcbdf809d593995f15674a991c5b690c04a99d8a1e6fe55944221211cfe4fb0330936d258e59ec15d4f2fb837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8f29a88ab8afbf90d6e88acbbb92eb0

SHA1
1ba513edaced2044ead4afaa44758ca5e75f5b92

SHA256
edcf4e1ba43bc86ddeedbd24f2fccc8cd71d33a393cf02635c113e53c4712e56

SHA512
27cd7196629fefe907221793e20c8343080fb753b5c37c0cb1da2edcc54076d4818e8a61469335f72edca5a6ec8cdd7187a224e6c134e83e7efb3cacb7ac88b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93aa542df79178d86e2a3daa27dfe898

SHA1
7b9e2db410db64ff0174b627e5e787826b2b8fec

SHA256
be782977ade84e1e82e3a789cf0827c9d717f31e5592b233256a804456d13904

SHA512
9a860343f7677d8eaf0b2eb1337f78effae70dead006db34a14a487c78ee8d776c42ec08bdcf3f803f6652392f00304024ac344bbf31976c9766260e167c960b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edfc3b567d7ec8c2a6173d76f9a55719

SHA1
e16725e0279647580313fa874555dbbe48fae6ef

SHA256
77b1ad669811b544341e2adce27e4ec0f6115ae2d149df858f41fa2d985daee7

SHA512
227642874c747fb4bc17e197a8fc9856e5c14908c00e8e5643864d28e115b800dbd101f03e1057fa4a32893cf95f32225e485cd55859f8b645d185a5caa56f7b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
4ed4cf9c7f88c6319369aceb286048b3

SHA1
580dff38b8d7f3e42135a51dba7f078b77b29459

SHA256
270af2df978dfe0db5d67c477d6659b7e4c5d1ca00c81649c47675cb603bf03e

SHA512
47a8af324d10c2b36acd7605be7409ae34745383e9a0dc9eef1d29db78a4a877dd8f94c2239c221f2af1a913408f1a1e0bdfbb16a88467b406f001a77228a75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xfncuogb.zrj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\exm.zip

Filesize
1.2MB

MD5
db0e9e1953431cc977c3e95bd3d36ab6

SHA1
4f34027bfd24a54e269721e07f3fedceb7841e70

SHA256
c4e798355111c34ae3424a1c102758335a5e24f714831b15a5bf2a1303df9097

SHA512
0874095e38b8c5ab0e2f68fddb77ea2283ef6515349417446aef12e6b9e4456c429b156423858830264cbbe9cacc4a32d9cc2325135432bebc0c5b38720fff9a

Download Submit
C:\Users\Admin\Downloads\EXM Free Tweaking Utility V7.1.zip:Zone.Identifier

Filesize
186B

MD5
caa64b1a426a924c4d8f81ea91bb2181

SHA1
e7063ffdfd8897d607589146dd1464f087d0b245

SHA256
562b465e145f68adaf8cd856ed2d2807681bab90cd5d976847103e68ed58cadd

SHA512
b80d7914a6dea8f90c9cf80adc94a7be42a1962cebd6ce303d0422d64f5d3bdc6fd07dbd9248d04eeee8566c7c47e7d598926927c99352a5fc7f42301f3f57a4

Download Submit
C:\Users\Admin\Downloads\Nicht bestätigt 791629.crdownload

Filesize
45KB

MD5
98cd3d6363cf97d5ba3bac68e578a02a

SHA1
07082270f40bdf9d6cbafdf219139bf1acc1c97a

SHA256
f4948a32fe575320cbd82574f8ab9dae1a3bedb2fc5c0418173927e61fb9f66f

SHA512
c2de27834b5c4a7e37b34852c792fab32bb4f2bcceb928b90a276e0d32c07780df4662b317f5bb93c973a91e6d9d720cf8ce85627ed6bb1653c5a725f6666879

Download Submit
C:\exm\v5.0_free_resources\nvidiaProfileInspector.exe

Filesize
535KB

MD5
ff5f39370b67a274cb58ba7e2039d2e2

SHA1
3020bb33e563e9efe59ea22aa4588bed5f1b2897

SHA256
1233487ea4db928ee062f12b00a6eda01445d001ab55566107234dea4dc65872

SHA512
7decec37c80d1d5ad6296d737d5d16c4fc92353a3ae4bd083c4a7b267bb6073a53d9f6152b20f9b5e62ba6c93f76d08f813812a83ce164db4c91107d7ad5a95f

Download Submit
C:\exm\v5.0_free_resources\nvidiaProfileInspector.exe.config

Filesize
158B

MD5
ce6d0bc7328b0fab08de80f292c1eaa4

SHA1
ae505d6f60a71259b91865f6d5a3d674e9de0ebe

SHA256
383b8dcb968b6bd0633658d9bb55c4acaf4c85a075aa456904a42d4e4efd5561

SHA512
f009ad44131f19997c7c7be38144132d9f701fda4492f3782a2717b92859f189196fac5a7d7e6ff6952f2c1735f27ffaddf0f7acbb45b98a7d85572e96c16c00

Download Submit
memory/680-218-0x000001B0B9EC0000-0x000001B0B9ED0000-memory.dmp

Filesize
64KB

Download
memory/680-209-0x000001B0B9EF0000-0x000001B0B9F12000-memory.dmp

Filesize
136KB

Download
memory/680-208-0x000001B0D2050000-0x000001B0D20D6000-memory.dmp

Filesize
536KB

Download
memory/680-222-0x000001B0D1FC0000-0x000001B0D200B000-memory.dmp

Filesize
300KB

Download
memory/680-219-0x000001B0D21F0000-0x000001B0D22F4000-memory.dmp

Filesize
1.0MB

Download
memory/1992-343-0x000001A9F7EE0000-0x000001A9F7F2A000-memory.dmp

Filesize
296KB

Download
memory/1992-344-0x000001A9F7F30000-0x000001A9F7F4E000-memory.dmp

Filesize
120KB

Download
memory/2028-278-0x00000281CCBE0000-0x00000281CCBFA000-memory.dmp

Filesize
104KB

Download
memory/2028-261-0x00000281CCC40000-0x00000281CCC4A000-memory.dmp

Filesize
40KB

Download
memory/2028-260-0x00000281CCD60000-0x00000281CCD72000-memory.dmp

Filesize
72KB

Download
memory/2028-259-0x00000281CCD40000-0x00000281CCD56000-memory.dmp

Filesize
88KB

Download
memory/3600-294-0x000002225AEE0000-0x000002225AF6C000-memory.dmp

Filesize
560KB

Download
memory/3760-248-0x000001F3C64D0000-0x000001F3C651B000-memory.dmp

Filesize
300KB

Download
memory/3924-289-0x00000180E6CE0000-0x00000180E6CFA000-memory.dmp

Filesize
104KB

Download