13a03de37f3941d7adea6f6ae92964b96207a50ce16b3c550fdf537e6eeb97c1

Analysis

max time kernel
134s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-05-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmd_obf.bat
Size

3.7MB
MD5

0bf8ea23b515a2be9847672294e9b1ec
SHA1

e7a593f74a21b0934ebae4651e31bce764b48c8e
SHA256

13a03de37f3941d7adea6f6ae92964b96207a50ce16b3c550fdf537e6eeb97c1
SHA512

d279f27995b0c22387efe30829b2408749f9f1d1c59f27bd7c5cb69f4c587fdd81b1cc0df4a67ddfedb3eb591e6ab6f73be17fdc8cdda8c191fd535691f7790c
SSDEEP

6144:MAzsjFH0sKBsxf6XSSXlwSDreznhb8R5HGD7X8N0wKOx4QMbErNWkH3kqDhtd2iA:XsZmuSRlwS4vNPQMgcAhij4fi

Score

5^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 38 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2864	powershell.exe
1084	powershell.exe
944	powershell.exe
4568	powershell.exe
4656	powershell.exe
1340	powershell.exe
2556	powershell.exe
4696	powershell.exe
4472	powershell.exe
2116	powershell.exe
3264	powershell.exe
5072	powershell.exe
2312	powershell.exe
2160	powershell.exe
984	powershell.exe
4416	powershell.exe
4512	powershell.exe
2148	powershell.exe
868	powershell.exe
916	powershell.exe
2180	powershell.exe
4104	powershell.exe
4968	powershell.exe
1848	powershell.exe
5092	powershell.exe
4104	powershell.exe
4900	powershell.exe
744	powershell.exe
3796	powershell.exe
4332	powershell.exe
4668	powershell.exe
4256	powershell.exe
4568	powershell.exe
3956	powershell.exe
3616	powershell.exe
1268	powershell.exe
3616	powershell.exe
1088	powershell.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
4236	timeout.exe
1600	timeout.exe
196	timeout.exe
1984	timeout.exe
2312	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3480	taskkill.exe
5092	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	powershell.exe
2160	powershell.exe
2160	powershell.exe
984	powershell.exe
984	powershell.exe
984	powershell.exe
4108	powershell.exe
4108	powershell.exe
4108	powershell.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
3956	powershell.exe
3956	powershell.exe
3956	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
2864	powershell.exe
2864	powershell.exe
2864	powershell.exe
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
4416	powershell.exe
4416	powershell.exe
3616	powershell.exe
4416	powershell.exe
3616	powershell.exe
3616	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
4632	powershell.exe
4632	powershell.exe
4632	powershell.exe
2932	powershell.exe
2932	powershell.exe
2932	powershell.exe
916	powershell.exe
916	powershell.exe
1268	powershell.exe
916	powershell.exe
1268	powershell.exe
1268	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4968	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeIncreaseQuotaPrivilege	2160	powershell.exe
Token: SeSecurityPrivilege	2160	powershell.exe
Token: SeTakeOwnershipPrivilege	2160	powershell.exe
Token: SeLoadDriverPrivilege	2160	powershell.exe
Token: SeSystemProfilePrivilege	2160	powershell.exe
Token: SeSystemtimePrivilege	2160	powershell.exe
Token: SeProfSingleProcessPrivilege	2160	powershell.exe
Token: SeIncBasePriorityPrivilege	2160	powershell.exe
Token: SeCreatePagefilePrivilege	2160	powershell.exe
Token: SeBackupPrivilege	2160	powershell.exe
Token: SeRestorePrivilege	2160	powershell.exe
Token: SeShutdownPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeSystemEnvironmentPrivilege	2160	powershell.exe
Token: SeRemoteShutdownPrivilege	2160	powershell.exe
Token: SeUndockPrivilege	2160	powershell.exe
Token: SeManageVolumePrivilege	2160	powershell.exe
Token: 33	2160	powershell.exe
Token: 34	2160	powershell.exe
Token: 35	2160	powershell.exe
Token: 36	2160	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeIncreaseQuotaPrivilege	984	powershell.exe
Token: SeSecurityPrivilege	984	powershell.exe
Token: SeTakeOwnershipPrivilege	984	powershell.exe
Token: SeLoadDriverPrivilege	984	powershell.exe
Token: SeSystemProfilePrivilege	984	powershell.exe
Token: SeSystemtimePrivilege	984	powershell.exe
Token: SeProfSingleProcessPrivilege	984	powershell.exe
Token: SeIncBasePriorityPrivilege	984	powershell.exe
Token: SeCreatePagefilePrivilege	984	powershell.exe
Token: SeBackupPrivilege	984	powershell.exe
Token: SeRestorePrivilege	984	powershell.exe
Token: SeShutdownPrivilege	984	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeSystemEnvironmentPrivilege	984	powershell.exe
Token: SeRemoteShutdownPrivilege	984	powershell.exe
Token: SeUndockPrivilege	984	powershell.exe
Token: SeManageVolumePrivilege	984	powershell.exe
Token: 33	984	powershell.exe
Token: 34	984	powershell.exe
Token: 35	984	powershell.exe
Token: 36	984	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeIncreaseQuotaPrivilege	5092	powershell.exe
Token: SeSecurityPrivilege	5092	powershell.exe
Token: SeTakeOwnershipPrivilege	5092	powershell.exe
Token: SeLoadDriverPrivilege	5092	powershell.exe
Token: SeSystemProfilePrivilege	5092	powershell.exe
Token: SeSystemtimePrivilege	5092	powershell.exe
Token: SeProfSingleProcessPrivilege	5092	powershell.exe
Token: SeIncBasePriorityPrivilege	5092	powershell.exe
Token: SeCreatePagefilePrivilege	5092	powershell.exe
Token: SeBackupPrivilege	5092	powershell.exe
Token: SeRestorePrivilege	5092	powershell.exe
Token: SeShutdownPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeSystemEnvironmentPrivilege	5092	powershell.exe
Token: SeRemoteShutdownPrivilege	5092	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 4348	3816	cmd.exe	74
PID 3816 wrote to memory of 4348	3816	cmd.exe	74
PID 3816 wrote to memory of 2160	3816	cmd.exe	75
PID 3816 wrote to memory of 2160	3816	cmd.exe	75
PID 3816 wrote to memory of 4604	3816	cmd.exe	77
PID 3816 wrote to memory of 4604	3816	cmd.exe	77
PID 3816 wrote to memory of 4520	3816	cmd.exe	78
PID 3816 wrote to memory of 4520	3816	cmd.exe	78
PID 3816 wrote to memory of 984	3816	cmd.exe	79
PID 3816 wrote to memory of 984	3816	cmd.exe	79
PID 3816 wrote to memory of 4600	3816	cmd.exe	80
PID 3816 wrote to memory of 4600	3816	cmd.exe	80
PID 3816 wrote to memory of 4108	3816	cmd.exe	81
PID 3816 wrote to memory of 4108	3816	cmd.exe	81
PID 3816 wrote to memory of 2484	3816	cmd.exe	82
PID 3816 wrote to memory of 2484	3816	cmd.exe	82
PID 3816 wrote to memory of 3956	3816	cmd.exe	83
PID 3816 wrote to memory of 3956	3816	cmd.exe	83
PID 3956 wrote to memory of 2672	3956	powershell.exe	84
PID 3956 wrote to memory of 2672	3956	powershell.exe	84
PID 3816 wrote to memory of 2816	3816	cmd.exe	86
PID 3816 wrote to memory of 2816	3816	cmd.exe	86
PID 2672 wrote to memory of 2568	2672	cmd.exe	87
PID 2672 wrote to memory of 2568	2672	cmd.exe	87
PID 3816 wrote to memory of 5092	3816	cmd.exe	88
PID 3816 wrote to memory of 5092	3816	cmd.exe	88
PID 2672 wrote to memory of 4104	2672	cmd.exe	89
PID 2672 wrote to memory of 4104	2672	cmd.exe	89
PID 3816 wrote to memory of 428	3816	cmd.exe	90
PID 3816 wrote to memory of 428	3816	cmd.exe	90
PID 2672 wrote to memory of 4044	2672	cmd.exe	91
PID 2672 wrote to memory of 4044	2672	cmd.exe	91
PID 3816 wrote to memory of 1596	3816	cmd.exe	92
PID 3816 wrote to memory of 1596	3816	cmd.exe	92
PID 3816 wrote to memory of 1548	3816	cmd.exe	93
PID 3816 wrote to memory of 1548	3816	cmd.exe	93
PID 2672 wrote to memory of 2468	2672	cmd.exe	94
PID 2672 wrote to memory of 2468	2672	cmd.exe	94
PID 3816 wrote to memory of 3456	3816	cmd.exe	95
PID 3816 wrote to memory of 3456	3816	cmd.exe	95
PID 3456 wrote to memory of 4316	3456	cmd.exe	96
PID 3456 wrote to memory of 4316	3456	cmd.exe	96
PID 2672 wrote to memory of 2864	2672	cmd.exe	97
PID 2672 wrote to memory of 2864	2672	cmd.exe	97
PID 3816 wrote to memory of 1452	3816	cmd.exe	98
PID 3816 wrote to memory of 1452	3816	cmd.exe	98
PID 3816 wrote to memory of 4116	3816	cmd.exe	99
PID 3816 wrote to memory of 4116	3816	cmd.exe	99
PID 2672 wrote to memory of 2584	2672	cmd.exe	100
PID 2672 wrote to memory of 2584	2672	cmd.exe	100
PID 2672 wrote to memory of 3892	2672	cmd.exe	101
PID 2672 wrote to memory of 3892	2672	cmd.exe	101
PID 3816 wrote to memory of 1972	3816	cmd.exe	102
PID 3816 wrote to memory of 1972	3816	cmd.exe	102
PID 1972 wrote to memory of 4548	1972	cmd.exe	103
PID 1972 wrote to memory of 4548	1972	cmd.exe	103
PID 2672 wrote to memory of 3064	2672	cmd.exe	104
PID 2672 wrote to memory of 3064	2672	cmd.exe	104
PID 3816 wrote to memory of 4416	3816	cmd.exe	105
PID 3816 wrote to memory of 4416	3816	cmd.exe	105
PID 2672 wrote to memory of 3616	2672	cmd.exe	171
PID 2672 wrote to memory of 3616	2672	cmd.exe	171
PID 3616 wrote to memory of 4144	3616	powershell.exe	107
PID 3616 wrote to memory of 4144	3616	powershell.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:4604
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:4520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat' -Verb runAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:2568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4104
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:4044
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:2468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2864
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -c "Write-Host -NoNewLine $null"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -c "Write-Host -NoNewLine $null"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat' -Verb runAs"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3616
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat
        5⤵
        
        PID:4144
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:5000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4472
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:5064
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:4624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -c "Write-Host -NoNewLine $null"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -c "Write-Host -NoNewLine $null"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat' -Verb runAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat
        7⤵
        
        PID:1052
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:96
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:4612
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:4864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -c "Write-Host -NoNewLine $null"
        8⤵
        
        PID:688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -c "Write-Host -NoNewLine $null"
        8⤵
        
        PID:4620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat' -Verb runAs"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat
        9⤵
        
        PID:1548
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:4412
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -c "Write-Host -NoNewLine $null"
        10⤵
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -c "Write-Host -NoNewLine $null"
        10⤵
        
        PID:4320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat' -Verb runAs"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat
        11⤵
        
        PID:2116
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        12⤵
        
        PID:4572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3796
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        12⤵
        
        PID:2360
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        12⤵
        
        PID:308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4656
        
        C:\Windows\system32\wscript.exe
        
        wscript /b
        10⤵
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4900
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:2572
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:4708
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        10⤵
        
        PID:1276
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        11⤵
        
        PID:4456
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:4652
        
        C:\Windows\system32\rundll32.exe
        
        rundll32
        10⤵
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        10⤵
        
        PID:1436
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        11⤵
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:944
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:5068
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:3488
        
        C:\Windows\system32\rundll32.exe
        
        rundll32
        10⤵
        
        PID:2224
        
        C:\Windows\system32\forfiles.exe
        
        forfiles /p C:\Users\Admin\AppData\Local\Temp /m TOKEN_LOGGER.exe /c 'cmd /c start @file'
        10⤵
        
        PID:4484
        
        C:\Windows\system32\doskey.exe
        
        doskey CERTUTIL=FSUTIL
        10⤵
        
        PID:1360
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:4236
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:4872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        10⤵
        
        PID:1868
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        11⤵
        
        PID:4384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4668
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:96
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:4988
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:4620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:868
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1340
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2312
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:4136
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        10⤵
        
        PID:4656
        
        C:\Windows\system32\doskey.exe
        
        doskey /listsize=0
        10⤵
        
        PID:2692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im scvhost.exe
        10⤵
        Kills process with taskkill
        
        PID:5092
        
        C:\Windows\system32\wscript.exe
        
        wscript /b
        8⤵
        
        PID:3600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1084
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:4876
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:5024
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:4668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        8⤵
        
        PID:2548
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        9⤵
        
        PID:3892
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:1672
        
        C:\Windows\system32\rundll32.exe
        
        rundll32
        8⤵
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        8⤵
        
        PID:592
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        9⤵
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4512
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:4384
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:3344
        
        C:\Windows\system32\rundll32.exe
        
        rundll32
        8⤵
        
        PID:1540
        
        C:\Windows\system32\forfiles.exe
        
        forfiles /p C:\Users\Admin\AppData\Local\Temp /m TOKEN_LOGGER.exe /c 'cmd /c start @file'
        8⤵
        
        PID:5076
        
        C:\Windows\system32\doskey.exe
        
        doskey CERTUTIL=FSUTIL
        8⤵
        
        PID:4332
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2312
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        8⤵
        
        PID:5060
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        9⤵
        
        PID:4660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4332
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:3456
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:4880
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        8⤵
        
        PID:2368
      - C:\Windows\system32\wscript.exe
        
        wscript /b
        6⤵
        
        PID:3340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:5004
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:4064
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:3480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        6⤵
        
        PID:4692
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        7⤵
        
        PID:5076
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:2612
      - C:\Windows\system32\rundll32.exe
        
        rundll32
        6⤵
        
        PID:4332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        6⤵
        
        PID:1848
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        7⤵
        
        PID:4560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4568
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:3488
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:1088
      - C:\Windows\system32\rundll32.exe
        
        rundll32
        6⤵
        
        PID:744
      - C:\Windows\system32\forfiles.exe
        
        forfiles /p C:\Users\Admin\AppData\Local\Temp /m TOKEN_LOGGER.exe /c 'cmd /c start @file'
        6⤵
        
        PID:1276
      - C:\Windows\system32\doskey.exe
        
        doskey CERTUTIL=FSUTIL
        6⤵
        
        PID:4872
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1984
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:5084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        6⤵
        
        PID:3772
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        7⤵
        
        PID:4628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4568
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:1364
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:1692
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
        6⤵
        
        PID:4904
  - - C:\Windows\system32\wscript.exe
      wscript /b
      4⤵
      PID:2936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4696
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:1088
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:2028
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:1012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
      4⤵
      PID:916
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        5⤵
        
        PID:4236
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:592
  - - C:\Windows\system32\rundll32.exe
      rundll32
      4⤵
      PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
      4⤵
      PID:3468
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        5⤵
        
        PID:304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:916
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:4084
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:4076
  - - C:\Windows\system32\rundll32.exe
      rundll32
      4⤵
      PID:2312
  - - C:\Windows\system32\forfiles.exe
      forfiles /p C:\Users\Admin\AppData\Local\Temp /m TOKEN_LOGGER.exe /c 'cmd /c start @file'
      4⤵
      PID:1340
  - - C:\Windows\system32\doskey.exe
      doskey CERTUTIL=FSUTIL
      4⤵
      PID:4508
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:196
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
      4⤵
      PID:964
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        5⤵
        
        PID:380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3264
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:3844
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:1984
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:2484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:744
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1848
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:96
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5072
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:5020
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
      4⤵
      PID:3796
  - - C:\Windows\system32\doskey.exe
      doskey /listsize=0
      4⤵
      PID:4104
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im scvhost.exe
      4⤵
      Kills process with taskkill
      PID:3480
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:428
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:1596
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:4316
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:1452
- C:\Windows\system32\rundll32.exe
  rundll32
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:2296
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:4632
- C:\Windows\system32\rundll32.exe
  rundll32
  2⤵
  PID:1984
- C:\Windows\system32\forfiles.exe
  forfiles /p C:\Users\Admin\AppData\Local\Temp /m TOKEN_LOGGER.exe /c 'cmd /c start @file'
  2⤵
  PID:4572
- C:\Windows\system32\doskey.exe
  doskey CERTUTIL=FSUTIL
  2⤵
  PID:2304
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:1600
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:1864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:2344
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:4976
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cmd_obf.bat"
  2⤵
  PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
720dcbde522c36f4c1cd1eb10865440c

SHA1
9d4b1cd79aca9f025539abe20f69308f122b8399

SHA256
d8680b59c678826214f0b0765d4d924fdc30730e001f2fe4bf286d33b0f05807

SHA512
71835467e8f906e5d19c56657c9b7e82f63f9f4ddef125d32d78096cda44bf480a0c9259cfa7e627ab922e8e6be5b4bc3a3e71a46645c151fed736b32c15ab0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bc4e9a7f5e500dbc9a37fa566583011e

SHA1
b7ac9a76b1c41ba17349f553b459b9129bbdc45c

SHA256
556204cb2ad6bb87b5155e0df4063abb467160d7ceccc49a89d78f802b7d08c6

SHA512
fea9ceace0faeb599dd6b4ad14607055b962362e0c3f60bc48db537b9ad69d0467fa6ebba3bcc3ccde5e130ab04df38718241547fbe326ce59af4d91fba6721f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cebfface38f6214c2876be56057b9d89

SHA1
a074d0bf7b49c66e700f384199aa1b83af0816ed

SHA256
731cec29e2b446f8182682b16711732ba92347612e122220efe569b37bd77171

SHA512
75bd0f142b4f810c977cd0249d8c7f7ae08d297f9e87a76906aa687005e4bd31724784e302f6b84894bd62aa4851533b8104bcb5ebb6391954e0a220225b400a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fecf74ed304251b72519b6df61124079

SHA1
3ffccc853ba151e101db82451c5105ade25d8c91

SHA256
f02851777f70c3913d3be84b9db9cca00ba176759c72441c66617f857a54b5e2

SHA512
970221234cdbf56418ba643dde2777049cb21deab74f69c4eefe8206e72b8acbe0bd88b7759cc209f635a3266f1bd61956a75413cbff36c4c7064445f7fd286d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db482744e683e138c78f64240f88322a

SHA1
1863e57712468a71af35aca6587697e04cb84932

SHA256
b9bf33f9f040cc14ca70b779c22a6f731dd333a4e24f13747ae8f2a96fe61677

SHA512
2898919cf6e2d558b30247dbc5daa650bebd9d460477cfec36c9b75d671471e251cc7b352aef65d78f7c9c1739b02ea15cef87a4a86725fd49250ef6e123b6ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbffde3c730a1b7c4c10b7e801c800bf

SHA1
301d07badf0b92368f7afb92e887287be2a89410

SHA256
cff7a79a777556a728a469b21a7788e4b875c83cadfef20e470e356275821b10

SHA512
11b1a5a480dfe2b913a3b4de0f098718720772f0cb674f36e389e481b630d0edb6ff409e5237e6a2262626fe12f5e466f86810eae6b02dc392f432886fe6a386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
05dc175493fbd9ce149b7bea5eaf29b6

SHA1
501a653ce7d4acbb87458bbaa19215b168e3b5b1

SHA256
65964a4417a91616dee24f565ab181fb8394e4d48995fd4e7265501d06b05d02

SHA512
0f1f2eaf084c8aaecfbc7263f119cf4604e677551f8af958c03844a938e2e44a11d776575454cc90a0853cf2d925d95efed884fe33f8a45cd173f09a567e82eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a28b82b81390d748e239b13f7c9d8a2

SHA1
bf31fdd91008c7cba2b8d046072ea77273e2838a

SHA256
26088723e857a9c87eb53ed81d00686a73d9fcc7df86996149b2401e151af2ca

SHA512
28afa0248c859c6195df2ed87c97168d60d33fa648dba294d872b403fbadd616047acfb6d0c2652c70f022c824f01c9091293f2c5df3e49b3320055f6d3dcfd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
05c60b5488f5be1d36f957df4dec30b9

SHA1
fc7cfcbf3287cf266364f108b910395d96670c02

SHA256
48ebebd45016c3b8fa573e6b590c21322238911a31ef0812455beebdfd8323ef

SHA512
8dc0973250dc63ae4bba57ae2e30ae3d3d6941226faf514f3f4e87f231878fb7478032a4c6d02c491dba8bc49f45640a62634ef5ea97c0320c1488c926745a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
faa85324fd82dd82cf4ac3dc3a7eb2bd

SHA1
7b68e81e43ee390b0cccac7ab358284203c63986

SHA256
ce98a5888e823d7f095c115e7f3863efcf38df8e7304792fd28a70caa6a37886

SHA512
7714932f91b81fed65cd75af973c6712e6a90af8dba998581b4cabdb2d382fdcc0838dc225b14b53e8416b16fba8c8fc98efdf9fcac9f8e3d5bed2385d3e3029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ead285eccc7de110510b4268bf28942e

SHA1
99252b814614a179bd0883a5a0f0bf62d61a126c

SHA256
bd13984ffc67656cceb8cab56c75afa8793b8e54e534f205d8d043601480e7a1

SHA512
e28e034dcfbcbd0013a5e36616fb5668a3c4def0d9d89a72b498552161d4b0dbdef566772400f9d8a979c8ed587c8b7adc4ddebea3e6c9052490136190b3c327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e97ef1ec72e75c24052c67a59345b7f4

SHA1
145cfbf7b48d88a8c437ccd8b6111db2333fd1f2

SHA256
956609d5136f37e1c8d7187813a470fb78308db8291f9816b96f59fa5687ccd3

SHA512
0bcad0bb74700f0babc91c577fd79f22b92e1b47d8edefd48db7d2c0280fdb980800e9f34e742028b1ea9199aba4a010dbe9a09e970e67450217af2228fa937f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b89511ed58f6e6f2057ee2a073580c6

SHA1
9a34c8796db31c93ce5c0cc880c9fe117ca1f3f7

SHA256
eb59a698481285a536b07886c378fa12a9e13189ddff8a8be42b76ae215dd43d

SHA512
3d57c4e8690bc8f7a73435b37ee400c90cd39e0f06c31067b1d417467e88df2c461edaf10785e988093904cfb582d5271d3636a648a944a91aacd601d81775f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f81a91929a6eb9537b852eb5dd725099

SHA1
2aad72968b4e9c0c92f48124ef37f3ef107cf64d

SHA256
271c51386817dc31ecfed2f04b1a4eb419894e225c2ae90eb47a7e7d9e66b7c8

SHA512
31f32c3c10db478928c6769d82d59e5ec7c5200fa4e11a2462f4fe9457278b56f25129537c7110e3a2279683f4ed05424339b90b74b29a2462943470e6eff3f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04b27d1ab5909fbe2b0c1f4f0af2366a

SHA1
359da14e165be4561de2e4270a5dcfe4b73e8887

SHA256
d2ca1484a111a4da72ce71a2a6c812fb09cfc7eea087a77218160c35761434ed

SHA512
c71ddce35af41dd3dd88c44d12a4e3616f37507fd2feb42eaaf372b4cab677e9fc158efcf6b0fdebb95438390ed7bb5f2c6770b2af839b4780a5e10595a7bb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93b8972ee0d3fb2ac58462feffa4112c

SHA1
ebd37613668b8228eb2998c5455bd7f89d663793

SHA256
7f29c97f88c50c67868851b97ef4250afe854f66c4af6029c95d88df7154dd1a

SHA512
74631576517d64988a90d615021757104e7bdd4d07f2a969b163cc434e723a2ef4d5e4746c6b67bc6bc9d07c705a30575b310662dc6db8701840625d014188a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e901de4d26e0e79d9cc8830f14637697

SHA1
efb7e94f5efbf6633618d46426d7bb6a8de2f83a

SHA256
f0d0cea52df5cef354dae1e642b05a94487d55fe929196cb340d429b5c091a93

SHA512
f9af536e071e51a56ba75844ca7d3040f0f9d48f20d9657e335b481f811955f39fa177bd975a58326fc98a31e9d6a688a988741218eda12d0403a458b89aaac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04c81388722cf5c3403fc7d33c7285e0

SHA1
dbcbd0993d1134ceee0a6d33e74d6f7b25bba4d3

SHA256
1b31184b7fcc57414dccc191367db0b9917661043e49d2596c689b335dcff7ce

SHA512
a72036543253c81ba294e9808c8a23fa402b106915c83e5119efb6430627f2ecfe4786a643f01e5c26968e67b05de342dbe26b9ea362cb6b691bffbecabef2b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7956076298975420096760d17591e15c

SHA1
59231a40f76198337dcccc52efb3076c7b543ad4

SHA256
7375585e88470478b2550ac3b25f38617ffb97bdae86e1989b3e0cc451fbdbcb

SHA512
05895bf5f67669c354bdf20a859081ab701cc16cdba07d47138e7d2d6a51e67c8dabb34a50f270981a2f5e7a3c1421adece90e77f497e2e367086ba23b6c3f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abfc18f59f6e17bce46da526d1f1fc22

SHA1
b2e94688f68815dab5c68fa03a666d0393ef7f23

SHA256
d36a909d65822442edd9729508415128a1f51c33bf632434db33da8247bc10e1

SHA512
1a25c29d82c2d1ec624316c2f42cf7e9d32a2120e61e51a6d7562309ec2e3426233d8e55fdf266bee05da95fa229f6f789b98a6f62afd2ab8b3bc5b00e3a2879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ccb89698cafb32ed84993f8895e0d9a

SHA1
0d5e3721af7d8225b265c8c1a5c4293cfec59b21

SHA256
43ec1f35c1b0f78d5f76fe31d17be211d5eb5e2d5d593ab4503d30e05356ec9a

SHA512
2160d257149ee3a96499c8137980b6f5ded592f2946b765e8b775616b14415b4f6ddf85a3224d1b95d3098b00f91cda7235166c0be18cf6c38b1aac87ff14db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
068084f6cdae1f4cd7d2c8b16ba9721c

SHA1
d651a0fd54eb7d65b60658a8756bcea263832660

SHA256
83f302a5aa621b603fdba6587a401e38bf6a5becb313f6030d88f9c13490a184

SHA512
506fa2643489c82aa04f392214b69abfcff00ff28a1e4a9098aafae316864f50c118d1f618376a2c92830adfd9600851348087130e92691bb7230d03dd41e36c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbb860e375a3d08a109b6a447981bd5d

SHA1
2acb81faa2cf950e241994066b5b68faef4081f4

SHA256
1a947ac2c6833cb75492525b236586133ecd7d1deb13781cc57fd72c7db30465

SHA512
e247eb8ea5f2b4e1c6988db33ab86459915629fe1d52ef7132c1822a099ac124333954cd7bd7c05064cc0acbb8dc6362f9027adbbcb1c20fb687c6564b17133b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66478c2ca09022ae5bd36df573824923

SHA1
c0b2587a9a7110beef144e240623ad45ec94f3af

SHA256
77ba853d4206c5422bd553eb3a41baa4c58c62c9e39214fa0c134a1ce4c915ee

SHA512
928f46858ef879cb8065708a06b4dd4f01b398ae0a23e7fe6f78a3c99329e28c3e13ddad37bdd474e536125dc8f095495fe2b4e3a7a1d4facc4592271012abcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
307ac2c6aa74bc9221c17f234ef3cdca

SHA1
7ea8e6b01d33d2c7e97f2d589572f7dc6e0fc4d3

SHA256
4c748b33f170de63a3e32e4ad3b225ab302e5fc2873cc5a164117695beefddb4

SHA512
b37c491dbab3bfea10ecfd096db824583c80593198a418a8302d8369f457f96520b9b485fc78a5d28ee57de7a85384c889eb56f4c1dd40134546bdabea4c19a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e651379754723b545c2c58a180886785

SHA1
7270b7212994e81b2d9b916ca10563cca6b9dd84

SHA256
eb84ca51b78dde3e1e229dbafe7806eeec07bf224820453b8a4f73583d088636

SHA512
9e744dba0cdc78ef098174df8d3a5b62d193b0045448a151a29f130d25dcb9744be64697de3cee0390f29a4b1f6cdd5af6b91d2935fc47fefa91eef238cbc001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
324d396ad29bae7528e5f7ddfed4a5a6

SHA1
45f48e9d020dc40e7ed2185321f69086831884b6

SHA256
ea9589bc0ce581b1b893a06f46e3d7ab7ce3125b4ae0c2975aa0a2f715a94fea

SHA512
4af0668c9078e312567d65ed474905fc0a4486958b15051d6b28b9d44b5df2113c0c620bc1028d1d3cf104aad7b28abb42fe81a9558b27bcb75fb01113f71f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ebbb1c40927e017e67da5f0515fbfe9

SHA1
1bf52d258e42f7b3dffa961f0cc3bbaedfd9cbca

SHA256
383654b67001bbd7f8043a6b4a6b802652d76235adee23f1a873f04072c6f75e

SHA512
202d94c374046604e5a9b51902d091d4e665267d0b0c5bd8373f858e898abf75b923c7af8ae2a213acf4b8a101a0e9ba7db3301754f8b7d1aa2d79a11157e0ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5cf08195e5aed2eb4e6620d250a94755

SHA1
f7eda17d398072c802d6178464980c8338360a17

SHA256
3c27a21798c5748de6114897a36642fbe108d1825cce25e5c4a1c6258be65854

SHA512
64a2edfa651d935b6d2bdecaea5438d0c4d09f849576c2e071164bd084f52ecedc5882ec2cf1ae555eca79eaef27fc56d7e87a571bac9b18cef2900cd8ec5097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1412e755a46e5d650e90a836325a2a50

SHA1
1f2009bae0b1beca5b2167fbab6103e9d7225a50

SHA256
c109f5e046e8020467bbafecf01ead4df47111c356f5af1cf2769a53d4d3affc

SHA512
7232367f19c29a2b15b68113ee64184416840b27079d48b4163e9706c49793db2b23b4d12edb9efbd6f116f5b6abe66decaadba5369d10fbc3c6ff3976fc5022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d16a17ac4cb311b63459f566949d5e3

SHA1
8c52cd2f937114fe0c230636360f53b795e7ee2a

SHA256
828f422a37b341f4c3167ec2208c0908502c064e003a3e310aa8634441b0bede

SHA512
68955032a5032cddf539c67c60ee717f035fdbfc1d245366737d3efa981d7ec98ab0019c1bf650bf100a104967a927887b49fc8098749f898a7e69479c90b1e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e9ae8c078a54e517f82cc28021d0958

SHA1
b20078cff55fec0201aa71ca8d19dbdbfeca1980

SHA256
876555ce4e84626f1c1186471f935ed79546b0a3d0b4077638f563d6b065be2f

SHA512
e18ae39294ccfd26f02ab57a81cbd4602ab19210543f08924c7d2084341776b0e1b6b683c16dea8b3e2ee7dfca785217fc689e2c1f588992f15df61e8827c697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de39a855f02cc5563327d78a73ceb14d

SHA1
71aeba02394167f31f93c208c7cd01a49f906244

SHA256
23a18bf01cee8e2e926e2951754c861c1f1e710fd81c5eb34bc2e324bcbb4591

SHA512
967e54184798f0773b7d473096af6bf6b6758b4f6c2ad9506fd3afe1441009f999a8ee274b508ff97e053d270f23c13a7e40ce6890d5e50a8ce1d25de9ed62ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87d864459f2d42f61eae2c377e1d82f2

SHA1
85f3bafaa181789e65e06017cb25325e46436553

SHA256
6950f1a48a379965ac01106de0213f1a972b57b9524d03468b27c79fe035e0d4

SHA512
0e1deb67875efd97a908a18068adb716f72616d5a536342503c3c8e02d083805ad5bf25da6915d4659e188d052a4161fae3596ec8edf2eb8698bce42a8547ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b409073a6a501e1562f4a2378be02158

SHA1
88d642d795a3e74fce9cd683c88fb0ea0ac9f66b

SHA256
65eece2c466891a5f6e3cd3f4de4b8935aaec3bd356db0927e8072d6f0ef317f

SHA512
0e359263686f773004f24f1aa5059fa83ce490d357a7555074e066ef7ca6d955318430f37579395c82bdcc5237c3f3779d02a67e424dcf510616ad2d80eb4632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c26d21038f2897587246d48809357649

SHA1
828d4753dc01b1838137aafcc835e35abcfe1235

SHA256
a17304984029386961a75cc9d6b6def942b5c75432e5c75a910944d1b4332f52

SHA512
3a199ff130ad0d2d346486921bd18f2c02516144dc686f6877ae1d3c42ab98a63354269a1060690358d73a36158cafb88cef7b9979526f898e77f2cbffdde039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edab09bf03194ec814e2a1ee154a976b

SHA1
4160568b737b2de25019893f4d80053995075b15

SHA256
6173288ebc60f106b38eb66fd14b32891402babe83bb83a53e89f81b6cee52c4

SHA512
c2777aba0f3fcc6f5fa4994dfe4680968d3a37992f9e0affb08c59201b15befdcc9a722ef538acc902219dab38191f9d88843c82e5ab078b6049649197ccb475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0085c370807881753de8f8a9e704520

SHA1
74b28f033325a269c00ff176d53917ef0651c867

SHA256
a3c08dfd1c684df889f5b8dbe2ee4b241152f8169f7fba2ecd1b10d1e45b92e0

SHA512
951452cef65e6d258d8afa454f45e86a2d772c3957776f8ecdf3b08c73cbfe6a08500d83e7203dda18cb4350e3cb301a0f9e4cfdaa3d631ef6a2f039185d07aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
47d58b5b6624dc03becfad70176c145a

SHA1
a09cad33464e34a349d678038cfc671dd93bfd5c

SHA256
1d84322514e8f476033278b2c63c2cb89b3903b32612a317f4404bb1e12ce7d4

SHA512
af1d2a71d91fd78c57f98ab4d647cf3ab7e05cf6b5baa464b0d3bb3c95557116b23e406015e9efd9e0f59cd1a8fd8a2cc5231839b6928583836b8d873b652992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd564049c0659c3ad4ef8a3c7f9a17b2

SHA1
cd4005f770c35bf52a95bcf644ae41a8fb73c7bf

SHA256
fdffdb573467f39aa7a05a03a13dda701df653b20706705ddc17229cf27b0041

SHA512
4cdb13915b853b027e840666898926a05e53627952db7beb7ff2e672b411c6d6743ad9b0a0d2d30847a750b0f65eeeb6745e17674fd3a14ed81fc11738c607b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
07bbdbfe06d04b29b084ac5b2157571e

SHA1
d7677a9ac86a8b0f953a20471a94622e32de982a

SHA256
239a4901245728f1578e5a6a1177f48c9e9d372314f7c702afec3a9e7066a6f0

SHA512
d47e6ad24ebd1b468e08463cbd012a9929a6306448f690f83a118cb00d6a6f57f8541c1c34189c129fe93622175652d027bf18873aa05b5484738f759f9a9c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ni4ys2jr.oxj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotIwZgP.bat

Filesize
174B

MD5
035df3818cfc833fc8456bc6b77dee0f

SHA1
6de7134144214f63e1af9548a47899b32d4b5f9a

SHA256
08bb34a9cb1331e38c6c5b6752fd5dbbda03944e9275e07252b41dd7ad3becde

SHA512
9859f290ba8fcc403f6207cc0e2329c7ddec6a80727441023aee67393a42d7a9ac71b2f88c5460c4559b6afaf971fb7ac449e8961788daff39f850aae7047b82

Download Submit
memory/984-254-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/984-257-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/984-259-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/984-460-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-226-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-14-0x00007FFEF9163000-0x00007FFEF9164000-memory.dmp

Filesize
4KB

Download
memory/2160-16-0x0000025BF63C0000-0x0000025BF63E2000-memory.dmp

Filesize
136KB

Download
memory/2160-18-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-20-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-21-0x0000025BF6570000-0x0000025BF65E6000-memory.dmp

Filesize
472KB

Download
memory/2160-190-0x0000025BF6520000-0x0000025BF654A000-memory.dmp

Filesize
168KB

Download
memory/2160-209-0x0000025BF6520000-0x0000025BF6542000-memory.dmp

Filesize
136KB

Download
memory/2160-225-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download