d2a8d5644bb0444ad263912f077f16e30048efc443ef2715f131ca3f49786022

Resubmissions

09-09-2022 05:29

220909-f6xcksdehl 7

09-09-2022 05:25

220909-f4cv6adehk 7

Analysis

max time kernel
95s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2022 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

projectnightfall1.0.1.exe
Size

102.5MB
MD5

4eab2cfdfbbea8b42161b536c2e0d88c
SHA1

26a94566feccf507fcab6955e8a5a91036f06adf
SHA256

5d89774b101b606dbbd370858ed2b4e0901f1fb0430666f33302165c8c905907
SHA512

cd70510d7a1cfaeaa8045a000f8c7ceba2fce78f0f743d38d59c28643d019c62f85538c69acaa207605d7911ea687753ffde4bea6c863a12fc03a46334607f65
SSDEEP

786432:d0LoCOn+2Ks4urYDNulLBiuILkXXrwdLyzbr+CAHZvSFjN4xl6+T2uDQJegmGP01:dMoCm/KXwc5P

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	projectnightfall1.0.1.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	projectnightfall1.0.1.exe

Loads dropped DLL 2 IoCs

pid	Process
4216	projectnightfall1.0.1.exe
4216	projectnightfall1.0.1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	ipinfo.io
64	ipinfo.io

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	projectnightfall1.0.1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	projectnightfall1.0.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	projectnightfall1.0.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	projectnightfall1.0.1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	projectnightfall1.0.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	projectnightfall1.0.1.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
6048	tasklist.exe
5368	tasklist.exe
1996	tasklist.exe
2460	tasklist.exe
316	tasklist.exe
5580	tasklist.exe
5276	tasklist.exe
3236	tasklist.exe
6068	tasklist.exe
4504	tasklist.exe
3548	tasklist.exe
1668	tasklist.exe
5632	tasklist.exe
4324	tasklist.exe
1784	tasklist.exe
5276	tasklist.exe
1988	tasklist.exe
2128	tasklist.exe
3760	tasklist.exe
5540	tasklist.exe
6120	tasklist.exe
5656	tasklist.exe
3244	tasklist.exe
5680	tasklist.exe
6072	tasklist.exe
6044	tasklist.exe
6092	tasklist.exe
5060	tasklist.exe
4132	tasklist.exe
5596	tasklist.exe
4724	tasklist.exe
5640	tasklist.exe
2424	tasklist.exe
1504	tasklist.exe
6108	tasklist.exe
3704	tasklist.exe
5396	tasklist.exe
1904	tasklist.exe
5852	tasklist.exe
1300	tasklist.exe
5072	tasklist.exe
4688	tasklist.exe
4164	tasklist.exe
5004	tasklist.exe
3884	tasklist.exe
2984	tasklist.exe
1784	tasklist.exe
4128	tasklist.exe
824	tasklist.exe
1436	tasklist.exe
5500	tasklist.exe
3960	tasklist.exe
624	tasklist.exe
1768	tasklist.exe
1296	tasklist.exe
5592	tasklist.exe
5752	tasklist.exe
1272	tasklist.exe
5728	tasklist.exe
5820	tasklist.exe
5308	tasklist.exe
5296	tasklist.exe
5680	tasklist.exe
824	tasklist.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2012	NETSTAT.EXE
3432	NETSTAT.EXE
2324	NETSTAT.EXE
5864	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2588	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4628	powershell.exe
4628	powershell.exe
4216	projectnightfall1.0.1.exe
4216	projectnightfall1.0.1.exe
4216	projectnightfall1.0.1.exe
4216	projectnightfall1.0.1.exe
4216	projectnightfall1.0.1.exe
1300	powershell.exe
1300	powershell.exe
1300	tasklist.exe
4216	projectnightfall1.0.1.exe
4192	cmd.exe
4192	cmd.exe
2628	powershell.exe
2628	powershell.exe
4304	powershell.exe
4304	powershell.exe
2984	tasklist.exe
2984	tasklist.exe
3756	powershell.exe
3756	powershell.exe
3860	powershell.exe
3860	powershell.exe
4816	powershell.exe
4816	powershell.exe
4012	powershell.exe
4012	powershell.exe
2324	NETSTAT.EXE
2324	NETSTAT.EXE
4492	powershell.exe
4492	powershell.exe
4304	powershell.exe
4192	cmd.exe
2628	powershell.exe
2984	tasklist.exe
3860	powershell.exe
4816	powershell.exe
3756	powershell.exe
2324	NETSTAT.EXE
4492	powershell.exe
4012	powershell.exe
5124	powershell.exe
5124	powershell.exe
5124	powershell.exe
5596	cmd.exe
5596	cmd.exe
5596	cmd.exe
5876	powershell.exe
5876	powershell.exe
5876	powershell.exe
5332	powershell.exe
5332	powershell.exe
5332	powershell.exe
2032	cmd.exe
2032	cmd.exe
2032	cmd.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe
4072	powershell.exe
4072	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	3884	tasklist.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	4192	cmd.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	2984	tasklist.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	1572	tasklist.exe
Token: SeDebugPrivilege	3432	NETSTAT.EXE
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	2324	NETSTAT.EXE
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1988	tasklist.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	5308	tasklist.exe
Token: SeDebugPrivilege	5456	tasklist.exe
Token: SeDebugPrivilege	5580	cmd.exe
Token: SeDebugPrivilege	5656	tasklist.exe
Token: SeDebugPrivilege	5596	cmd.exe
Token: SeDebugPrivilege	5820	tasklist.exe
Token: SeDebugPrivilege	5852	tasklist.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	6068	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2628	cmd.exe
Token: SeSecurityPrivilege	2628	cmd.exe
Token: SeTakeOwnershipPrivilege	2628	cmd.exe
Token: SeLoadDriverPrivilege	2628	cmd.exe
Token: SeSystemProfilePrivilege	2628	cmd.exe
Token: SeSystemtimePrivilege	2628	cmd.exe
Token: SeProfSingleProcessPrivilege	2628	cmd.exe
Token: SeIncBasePriorityPrivilege	2628	cmd.exe
Token: SeCreatePagefilePrivilege	2628	cmd.exe
Token: SeBackupPrivilege	2628	cmd.exe
Token: SeRestorePrivilege	2628	cmd.exe
Token: SeShutdownPrivilege	2628	cmd.exe
Token: SeDebugPrivilege	2628	cmd.exe
Token: SeSystemEnvironmentPrivilege	2628	cmd.exe
Token: SeRemoteShutdownPrivilege	2628	cmd.exe
Token: SeUndockPrivilege	2628	cmd.exe
Token: SeManageVolumePrivilege	2628	cmd.exe
Token: 33	2628	cmd.exe
Token: 34	2628	cmd.exe
Token: 35	2628	cmd.exe
Token: 36	2628	cmd.exe
Token: SeDebugPrivilege	4076	tasklist.exe
Token: SeDebugPrivilege	5296	tasklist.exe
Token: SeDebugPrivilege	5332	powershell.exe
Token: SeDebugPrivilege	6048	tasklist.exe
Token: SeDebugPrivilege	2424	tasklist.exe
Token: SeDebugPrivilege	624	tasklist.exe
Token: SeDebugPrivilege	2032	cmd.exe
Token: SeDebugPrivilege	1300	tasklist.exe
Token: SeDebugPrivilege	5680	tasklist.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2256	tasklist.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeDebugPrivilege	4448	tasklist.exe
Token: SeDebugPrivilege	1768	tasklist.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	6108	tasklist.exe
Token: SeDebugPrivilege	5276	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3384	4216	projectnightfall1.0.1.exe	83
PID 4216 wrote to memory of 3384	4216	projectnightfall1.0.1.exe	83
PID 3384 wrote to memory of 4628	3384	cmd.exe	84
PID 3384 wrote to memory of 4628	3384	cmd.exe	84
PID 4628 wrote to memory of 316	4628	powershell.exe	87
PID 4628 wrote to memory of 316	4628	powershell.exe	87
PID 316 wrote to memory of 4712	316	csc.exe	90
PID 316 wrote to memory of 4712	316	csc.exe	90
PID 4216 wrote to memory of 2844	4216	projectnightfall1.0.1.exe	92
PID 4216 wrote to memory of 2844	4216	projectnightfall1.0.1.exe	92
PID 2844 wrote to memory of 1080	2844	cmd.exe	94
PID 2844 wrote to memory of 1080	2844	cmd.exe	94
PID 4216 wrote to memory of 3696	4216	projectnightfall1.0.1.exe	96
PID 4216 wrote to memory of 3696	4216	projectnightfall1.0.1.exe	96
PID 3696 wrote to memory of 3884	3696	cmd.exe	98
PID 3696 wrote to memory of 3884	3696	cmd.exe	98
PID 4216 wrote to memory of 2132	4216	projectnightfall1.0.1.exe	99
PID 4216 wrote to memory of 2132	4216	projectnightfall1.0.1.exe	99
PID 2132 wrote to memory of 1300	2132	cmd.exe	100
PID 2132 wrote to memory of 1300	2132	cmd.exe	100
PID 4216 wrote to memory of 3732	4216	projectnightfall1.0.1.exe	101
PID 4216 wrote to memory of 3732	4216	projectnightfall1.0.1.exe	101
PID 3732 wrote to memory of 2012	3732	cmd.exe	103
PID 3732 wrote to memory of 2012	3732	cmd.exe	103
PID 2012 wrote to memory of 1520	2012	NETSTAT.EXE	104
PID 2012 wrote to memory of 1520	2012	NETSTAT.EXE	104
PID 1520 wrote to memory of 4564	1520	cmd.exe	105
PID 1520 wrote to memory of 4564	1520	cmd.exe	105
PID 4216 wrote to memory of 4916	4216	projectnightfall1.0.1.exe	106
PID 4216 wrote to memory of 4916	4216	projectnightfall1.0.1.exe	106
PID 4216 wrote to memory of 4192	4216	projectnightfall1.0.1.exe	113
PID 4216 wrote to memory of 4192	4216	projectnightfall1.0.1.exe	113
PID 4216 wrote to memory of 4304	4216	projectnightfall1.0.1.exe	108
PID 4216 wrote to memory of 4304	4216	projectnightfall1.0.1.exe	108
PID 4216 wrote to memory of 2984	4216	projectnightfall1.0.1.exe	203
PID 4216 wrote to memory of 2984	4216	projectnightfall1.0.1.exe	203
PID 4216 wrote to memory of 2628	4216	projectnightfall1.0.1.exe	111
PID 4216 wrote to memory of 2628	4216	projectnightfall1.0.1.exe	111
PID 4216 wrote to memory of 3860	4216	projectnightfall1.0.1.exe	114
PID 4216 wrote to memory of 3860	4216	projectnightfall1.0.1.exe	114
PID 4216 wrote to memory of 4816	4216	projectnightfall1.0.1.exe	130
PID 4216 wrote to memory of 4816	4216	projectnightfall1.0.1.exe	130
PID 4216 wrote to memory of 4012	4216	projectnightfall1.0.1.exe	129
PID 4216 wrote to memory of 4012	4216	projectnightfall1.0.1.exe	129
PID 4216 wrote to memory of 2324	4216	projectnightfall1.0.1.exe	220
PID 4216 wrote to memory of 2324	4216	projectnightfall1.0.1.exe	220
PID 4216 wrote to memory of 3756	4216	projectnightfall1.0.1.exe	122
PID 4216 wrote to memory of 3756	4216	projectnightfall1.0.1.exe	122
PID 4216 wrote to memory of 2588	4216	projectnightfall1.0.1.exe	120
PID 4216 wrote to memory of 2588	4216	projectnightfall1.0.1.exe	120
PID 4216 wrote to memory of 4492	4216	projectnightfall1.0.1.exe	123
PID 4216 wrote to memory of 4492	4216	projectnightfall1.0.1.exe	123
PID 4216 wrote to memory of 4592	4216	projectnightfall1.0.1.exe	124
PID 4216 wrote to memory of 4592	4216	projectnightfall1.0.1.exe	124
PID 4916 wrote to memory of 3432	4916	cmd.exe	127
PID 4916 wrote to memory of 3432	4916	cmd.exe	127
PID 4592 wrote to memory of 1572	4592	cmd.exe	128
PID 4592 wrote to memory of 1572	4592	cmd.exe	128
PID 4216 wrote to memory of 480	4216	projectnightfall1.0.1.exe	133
PID 4216 wrote to memory of 480	4216	projectnightfall1.0.1.exe	133
PID 480 wrote to memory of 1988	480	cmd.exe	134
PID 480 wrote to memory of 1988	480	cmd.exe	134
PID 4216 wrote to memory of 4608	4216	projectnightfall1.0.1.exe	136
PID 4216 wrote to memory of 4608	4216	projectnightfall1.0.1.exe	136

C:\Users\Admin\AppData\Local\Temp\projectnightfall1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\projectnightfall1.0.1.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA=="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5je0qumg\5je0qumg.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD304.tmp" "c:\Users\Admin\AppData\Local\Temp\5je0qumg\CSCAAA3B67422DE4D55876EAF252B68C868.TMP"
        5⤵
        
        PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netstat -r"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\NETSTAT.EXE
    netstat -r
    3⤵
    - Gathers network information
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\system32\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        5⤵
        
        PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netstat -nao"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\system32\NETSTAT.EXE
    netstat -nao
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:4192
- - C:\Windows\system32\query.exe
    "C:\Windows\system32\query.exe" user
    3⤵
    PID:5040
  - - C:\Windows\system32\quser.exe
      "C:\Windows\system32\quser.exe"
      4⤵
      PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:2324
- C:\Windows\system32\ping.exe
  ping 8.8.8.8 -n 1
  2⤵
  - Runs ping.exe
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show networks mode=Bssid
    3⤵
    PID:5132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5136
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5364
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5520
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5612
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5760
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5956
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6088
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5664
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5572
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6028
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2276
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5828
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5156
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4480
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1620
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1292
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5576
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5972
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netstat -r"
  2⤵
  PID:3960
- - C:\Windows\system32\NETSTAT.EXE
    netstat -r
    3⤵
    - Gathers network information
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
      4⤵
      PID:5392
    - - C:\Windows\system32\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        5⤵
        
        PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3696
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1540
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4848
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"
  2⤵
  PID:1252
- - C:\Windows\system32\netsh.exe
    netsh lan show profiles
    3⤵
    PID:5420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"
  2⤵
  PID:732
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:5864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:996
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3960
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5596
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2672
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:212
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3988
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:944
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:800
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4664
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6084
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4956
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5536
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5900
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5812
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:312
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5292
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4180
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4036
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5216
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1040
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3048
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4900
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2780
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4560
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1020
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2412
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5652
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5128
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4960
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5560
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3024
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1572
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5620
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4036
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5628
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2220
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5828
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5236
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:6124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5472
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6000
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3696
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4632
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4192
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5348
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6140
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5876

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5268

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
eb84cf3992100584ad60675ff8fc1867

SHA1
ebae74210a6d72320fd424f4da9328967f6ded48

SHA256
27983f75d9518ed67a5a274c97cbecbf881d4e5d766e6019f53eed0ea7fa5486

SHA512
8722b9df8114f19f64cf7ba266991fe7a3056183006ebedbdfa9fb4d49398e5626093006648cb5685b3f84bd44f3fd0d9c8a487e9d1fc4fe6d55dd000b2ce55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
1da05ba3b54da771287c94c74807dbfc

SHA1
bfdf903adfb93765a27a4d9d3c6cc8a338af98e5

SHA256
64ae77204d48fab381d9cb3cea2d7854fa38fda6bffec3bd3c17a8176f6c0948

SHA512
f32f7cc084657acd8fdd924836016609072b3778593f6970b8dfb2ff2391780f7d043724d170aa05a6f5bf650b3da1664324435cd6b7269eb35c8dc78d4a63a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
712dac37d4ef92bc462564120619591b

SHA1
1cadf2d6826eb4119a9ce9667987e2a4e21d88eb

SHA256
986f6a7d2ad142c3a596143e2a31acb9dc9bd523969b5693eb6df09b5fbc0c2a

SHA512
0f35ccf15b328d60ee5177b6988261180f7d0156a174a700a8f2a527d80f7c39fb0fa75289bef8e4ff8372b917c1d3bdca546a119608c5b7b532be5b88b377e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3763345abdcb6003aac933d4c12a5ba0

SHA1
82e62880ada4277408010325ed7186a517f2a05b

SHA256
9b1288e635686ce8c366552da117072e45ba198790f7621c082e18252d85fed2

SHA512
d75dca968e4454686a56bb5ca966df36240bfaa38ebf85a2ae08c0ac55af8d4552444a15a8a86731a54739d6f3054f18790f2c62d07d4f16579107775f4f9639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
35b2bf5a93c55d7db18eb1f2987b24d4

SHA1
2aa6e710638fbd3a60b28ecc67ab0f2a7be0f233

SHA256
fca5b1519448c291a0107b09c5d4306dbe22353f8ac1190e6d6b7d86a6e73a8d

SHA512
05a2695a18795b01dbc9318d32b5a733ccb75ac82ed7ef5dff300dd4f891d1e8be426398eec91e92f49b50a3e6e63fa46bd92a142fe93709958a242849ea7056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5je0qumg\5je0qumg.dll

Filesize
3KB

MD5
bd0bc85e326e210820249df1777e007e

SHA1
6543d9b762d4d5e8e916085f1eede7c2faca1f4f

SHA256
5a0e2b5ee796df7f6e66d788fd19652fcd7ad0d794676712a02395d252efd157

SHA512
6bde0ae4b68af32d21189f3db49aa86a1bf8d4f9c99a2868491b586c418686530e6681010ffb00ee958224957cc40a914da4959bf972accc413810a760b4e63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD304.tmp

Filesize
1KB

MD5
6789f011a8f8f08107c47438b88abfbb

SHA1
c7c79667b1ce636d564bf5d1b47cf87a6c579f78

SHA256
82d097b831ff70ededf75049869b9bda7c03c5dc4ae8ebdc5ea0563a1d68e22f

SHA512
0135e8a25d6da457102e632e3ecddc169de8ae152197c834c7bd994581a2c96eff7460437614edc712e33a219fa632b6105209841a31782b718a3f683bbad237

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\152ddddf0ebc8fd9fdd0143778b6765e49678532a2b1e33e66adc235fa88b7a7\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node

Filesize
1.6MB

MD5
d5d477af6910a4856d5457b8e667f84b

SHA1
80e99d5b15c1c65ffa7e44c52c14056691ee3295

SHA256
152ddddf0ebc8fd9fdd0143778b6765e49678532a2b1e33e66adc235fa88b7a7

SHA512
435bc0f5b6af33549e59b5c50c43bd62ef5faf6acad85ad9d79f5ee80c82fed86f45391f20a35c0114d92aa80cc8c68aef0420501f4d5f5e2eed701c830013f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\8afe0cee365698184c541eef2e2f7dfb6bf5473be7321f5e8a585199b93f89f2\win-dpapi\build\Release\node-dpapi.node

Filesize
140KB

MD5
a874a72295b3b9adb2b5296c02689771

SHA1
a9e4702eaa5d7f680a5c0850fd5336937bde85bb

SHA256
8afe0cee365698184c541eef2e2f7dfb6bf5473be7321f5e8a585199b93f89f2

SHA512
a092177d561f37a6e828dc8aed014e13ab250a6a69a25c40ba4cd3b5e40bc0b6232bf163d0594da7886dc90280449b4b91e463f52a3b4ce5d6ed7e24bd1989a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5je0qumg\5je0qumg.0.cs

Filesize
342B

MD5
fb818b5af427cdf4bd5e9e48265dbd9b

SHA1
4494f9fe806d3d0ec6601ab8a6bdb5ff9b37a4ed

SHA256
6914d7afe54b19a22b8dad75c0781e9dc7321bbf43d3fd8fb00179d2d6a7f3f2

SHA512
843c02c18c777ae614a49d27722c495472c2b3ed4d45dc26bbb03d009a189e7241440a77107a7f17f26d03a8771c74efb49af9c98ce83020535c9027abb64cd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5je0qumg\5je0qumg.cmdline

Filesize
369B

MD5
a66c07e448816a3bb59246aee4df7ee4

SHA1
e05cc990d578f3e7638a051067b70bef12a6dfec

SHA256
292e6306941a573debdc6f0e9859b63398a73c9daa2d5cdf62f1fdebb7b268a8

SHA512
d26c0230dae71fb2892b37f53c748e213f9b111fae8da29f5644ef44679bfc4f878794aa9054395eaf16bb19562e95f4fefa4b23294630c10d80580e2a484efd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5je0qumg\CSCAAA3B67422DE4D55876EAF252B68C868.TMP

Filesize
652B

MD5
21fc465d8babc299757a140d7f26c52c

SHA1
754835d719605a47533d72e4e6a88ec1d22e3ce2

SHA256
321904bf1411b47c71da623c0e6cbe2b87445f74a6385fba50c3e002311af067

SHA512
a5b3ec36ac6d1e1862c52e6d4e2805fdb7a588c081f8d77be27e02ba52e201d53aed9461ae502ff6f1fde38504415a62a0911acd29a1401c26c348cc51d4b0d2

Download Submit
memory/316-138-0x0000000000000000-mapping.dmp

Download
memory/368-300-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/480-177-0x0000000000000000-mapping.dmp

Download
memory/752-260-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/752-258-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/1080-147-0x0000000000000000-mapping.dmp

Download
memory/1128-286-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/1128-285-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/1300-153-0x0000000000000000-mapping.dmp

Download
memory/1300-165-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/1520-158-0x0000000000000000-mapping.dmp

Download
memory/1572-175-0x0000000000000000-mapping.dmp

Download
memory/1804-267-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/1804-266-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/1988-178-0x0000000000000000-mapping.dmp

Download
memory/2012-156-0x0000000000000000-mapping.dmp

Download
memory/2032-244-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/2132-152-0x0000000000000000-mapping.dmp

Download
memory/2288-288-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/2324-253-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/2324-169-0x0000000000000000-mapping.dmp

Download
memory/2324-192-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/2424-238-0x0000000000000000-mapping.dmp

Download
memory/2588-171-0x0000000000000000-mapping.dmp

Download
memory/2628-216-0x000002ACAFBA0000-0x000002ACAFBCA000-memory.dmp

Filesize
168KB

Download
memory/2628-164-0x0000000000000000-mapping.dmp

Download
memory/2628-229-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/2628-180-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/2628-217-0x000002ACAFBA0000-0x000002ACAFBC4000-memory.dmp

Filesize
144KB

Download
memory/2844-146-0x0000000000000000-mapping.dmp

Download
memory/2984-181-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/2984-257-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/2984-163-0x0000000000000000-mapping.dmp

Download
memory/3140-292-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/3140-298-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/3164-276-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/3164-275-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/3384-132-0x0000000000000000-mapping.dmp

Download
memory/3432-174-0x0000000000000000-mapping.dmp

Download
memory/3696-150-0x0000000000000000-mapping.dmp

Download
memory/3732-155-0x0000000000000000-mapping.dmp

Download
memory/3756-190-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/3756-237-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/3756-170-0x0000000000000000-mapping.dmp

Download
memory/3860-166-0x0000000000000000-mapping.dmp

Download
memory/3860-233-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/3860-184-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/3884-151-0x0000000000000000-mapping.dmp

Download
memory/4012-168-0x0000000000000000-mapping.dmp

Download
memory/4012-188-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4012-256-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4072-273-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4072-269-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4076-222-0x0000000000000000-mapping.dmp

Download
memory/4104-272-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4104-268-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4108-282-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4108-283-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4192-176-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4192-264-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4192-261-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4192-161-0x0000000000000000-mapping.dmp

Download
memory/4304-162-0x0000000000000000-mapping.dmp

Download
memory/4304-179-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4304-252-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4304-183-0x0000020AD5CE0000-0x0000020AD5D24000-memory.dmp

Filesize
272KB

Download
memory/4304-191-0x0000020AD6140000-0x0000020AD61B6000-memory.dmp

Filesize
472KB

Download
memory/4492-172-0x0000000000000000-mapping.dmp

Download
memory/4492-262-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4492-278-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4492-194-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4564-159-0x0000000000000000-mapping.dmp

Download
memory/4584-296-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4592-173-0x0000000000000000-mapping.dmp

Download
memory/4608-182-0x0000000000000000-mapping.dmp

Download
memory/4628-145-0x00007FFC46410000-0x00007FFC46ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-137-0x00007FFC46410000-0x00007FFC46ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-136-0x0000026AF6C40000-0x0000026AF7168000-memory.dmp

Filesize
5.2MB

Download
memory/4628-135-0x0000026AF6540000-0x0000026AF6702000-memory.dmp

Filesize
1.8MB

Download
memory/4628-134-0x0000026AF4C20000-0x0000026AF4C42000-memory.dmp

Filesize
136KB

Download
memory/4628-133-0x0000000000000000-mapping.dmp

Download
memory/4712-141-0x0000000000000000-mapping.dmp

Download
memory/4816-167-0x0000000000000000-mapping.dmp

Download
memory/4816-187-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4816-255-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4836-302-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/4916-160-0x0000000000000000-mapping.dmp

Download
memory/5012-294-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5124-202-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5124-185-0x0000000000000000-mapping.dmp

Download
memory/5124-205-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5132-219-0x0000000000000000-mapping.dmp

Download
memory/5136-186-0x0000000000000000-mapping.dmp

Download
memory/5204-290-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5296-226-0x0000000000000000-mapping.dmp

Download
memory/5308-189-0x0000000000000000-mapping.dmp

Download
memory/5328-239-0x0000000000000000-mapping.dmp

Download
memory/5332-240-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5332-225-0x0000000000000000-mapping.dmp

Download
memory/5332-227-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5364-193-0x0000000000000000-mapping.dmp

Download
memory/5436-234-0x0000000000000000-mapping.dmp

Download
memory/5440-223-0x0000000000000000-mapping.dmp

Download
memory/5456-195-0x0000000000000000-mapping.dmp

Download
memory/5520-197-0x0000000000000000-mapping.dmp

Download
memory/5568-198-0x0000000000000000-mapping.dmp

Download
memory/5572-228-0x0000000000000000-mapping.dmp

Download
memory/5580-199-0x0000000000000000-mapping.dmp

Download
memory/5596-220-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5596-206-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5596-200-0x0000000000000000-mapping.dmp

Download
memory/5612-201-0x0000000000000000-mapping.dmp

Download
memory/5644-281-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5656-203-0x0000000000000000-mapping.dmp

Download
memory/5664-224-0x0000000000000000-mapping.dmp

Download
memory/5760-204-0x0000000000000000-mapping.dmp

Download
memory/5808-207-0x0000000000000000-mapping.dmp

Download
memory/5820-208-0x0000000000000000-mapping.dmp

Download
memory/5836-210-0x0000000000000000-mapping.dmp

Download
memory/5852-211-0x0000000000000000-mapping.dmp

Download
memory/5876-212-0x0000000000000000-mapping.dmp

Download
memory/5876-230-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5876-214-0x00007FFC45C70000-0x00007FFC46731000-memory.dmp

Filesize
10.8MB

Download
memory/5956-213-0x0000000000000000-mapping.dmp

Download
memory/6028-241-0x0000000000000000-mapping.dmp

Download
memory/6048-231-0x0000000000000000-mapping.dmp

Download
memory/6068-215-0x0000000000000000-mapping.dmp

Download
memory/6088-218-0x0000000000000000-mapping.dmp

Download