30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultimate Tweaks.exe
Size

168.2MB
MD5

02c4b9609f04037960d947113bc2a017
SHA1

b593fc590fafb5e11ccceb199ff405874183c4e8
SHA256

3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
SHA512

d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
SSDEEP

1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ultimate Tweaks.exeUltimate Tweaks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe

Drops file in System32 directory 2 IoCs

Processes:

Ultimate Tweaks.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Ultimate Tweaks.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Ultimate Tweaks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2420	powershell.exe
2100	powershell.exe
4116	powershell.exe
4648	powershell.exe
968	powershell.exe
2576	powershell.exe
1472	powershell.exe
1708	powershell.exe
4420	powershell.exe
924	powershell.exe
208	powershell.exe
2664	powershell.exe
1220	powershell.exe
2636	powershell.exe
2044	powershell.exe
4440	powershell.exe
1604	powershell.exe
2288	powershell.exe
2056	powershell.exe
3056	powershell.exe
4120	powershell.exe
4212	powershell.exe
1000	powershell.exe
4100	powershell.exe
3756	powershell.exe
4212	powershell.exe
2740	powershell.exe
2940	powershell.exe
640	powershell.exe
4332	powershell.exe
3096	powershell.exe
3460	powershell.exe
4000	powershell.exe
2268	powershell.exe
2756	powershell.exe
452	powershell.exe
4176	powershell.exe
1784	powershell.exe
4368	powershell.exe
3960	powershell.exe
2088	powershell.exe
3688	powershell.exe
4904	powershell.exe
2468	powershell.exe
728	powershell.exe
2268	powershell.exe
1116	powershell.exe
3056	powershell.exe
4552	powershell.exe
228	powershell.exe
1780	powershell.exe
1592	powershell.exe
4696	powershell.exe
1604	powershell.exe
4784	powershell.exe
2524	powershell.exe
4648	powershell.exe
2664	powershell.exe
1168	powershell.exe
4564	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ultimate Tweaks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3056	powershell.exe
4120	powershell.exe
4120	powershell.exe
3056	powershell.exe
2740	powershell.exe
1220	powershell.exe
1220	powershell.exe
2740	powershell.exe
1220	powershell.exe
2088	powershell.exe
2420	powershell.exe
2088	powershell.exe
2420	powershell.exe
2420	powershell.exe
3688	powershell.exe
4904	powershell.exe
3688	powershell.exe
4904	powershell.exe
4000	powershell.exe
2268	powershell.exe
2268	powershell.exe
4000	powershell.exe
4000	powershell.exe
1592	powershell.exe
4648	powershell.exe
1592	powershell.exe
4648	powershell.exe
1592	powershell.exe
4648	powershell.exe
3056	powershell.exe
924	powershell.exe
924	powershell.exe
3056	powershell.exe
2636	powershell.exe
4212	powershell.exe
2636	powershell.exe
4212	powershell.exe
2468	powershell.exe
4696	powershell.exe
2468	powershell.exe
4696	powershell.exe
4648	powershell.exe
728	powershell.exe
728	powershell.exe
4648	powershell.exe
1168	powershell.exe
2100	powershell.exe
1168	powershell.exe
2100	powershell.exe
2268	powershell.exe
1000	powershell.exe
1000	powershell.exe
2268	powershell.exe
452	powershell.exe
4100	powershell.exe
452	powershell.exe
4100	powershell.exe
1604	powershell.exe
968	powershell.exe
1604	powershell.exe
968	powershell.exe
2940	powershell.exe
4176	powershell.exe
2940	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Ultimate Tweaks.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	3056	powershell.exe
Token: SeSecurityPrivilege	3056	powershell.exe
Token: SeTakeOwnershipPrivilege	3056	powershell.exe
Token: SeLoadDriverPrivilege	3056	powershell.exe
Token: SeSystemProfilePrivilege	3056	powershell.exe
Token: SeSystemtimePrivilege	3056	powershell.exe
Token: SeProfSingleProcessPrivilege	3056	powershell.exe
Token: SeIncBasePriorityPrivilege	3056	powershell.exe
Token: SeCreatePagefilePrivilege	3056	powershell.exe
Token: SeBackupPrivilege	3056	powershell.exe
Token: SeRestorePrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeSystemEnvironmentPrivilege	3056	powershell.exe
Token: SeRemoteShutdownPrivilege	3056	powershell.exe
Token: SeUndockPrivilege	3056	powershell.exe
Token: SeManageVolumePrivilege	3056	powershell.exe
Token: 33	3056	powershell.exe
Token: 34	3056	powershell.exe
Token: 35	3056	powershell.exe
Token: 36	3056	powershell.exe
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeIncreaseQuotaPrivilege	1220	powershell.exe
Token: SeSecurityPrivilege	1220	powershell.exe
Token: SeTakeOwnershipPrivilege	1220	powershell.exe
Token: SeLoadDriverPrivilege	1220	powershell.exe
Token: SeSystemProfilePrivilege	1220	powershell.exe
Token: SeSystemtimePrivilege	1220	powershell.exe
Token: SeProfSingleProcessPrivilege	1220	powershell.exe
Token: SeIncBasePriorityPrivilege	1220	powershell.exe
Token: SeCreatePagefilePrivilege	1220	powershell.exe
Token: SeBackupPrivilege	1220	powershell.exe
Token: SeRestorePrivilege	1220	powershell.exe
Token: SeShutdownPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeSystemEnvironmentPrivilege	1220	powershell.exe
Token: SeRemoteShutdownPrivilege	1220	powershell.exe
Token: SeUndockPrivilege	1220	powershell.exe
Token: SeManageVolumePrivilege	1220	powershell.exe
Token: 33	1220	powershell.exe
Token: 34	1220	powershell.exe
Token: 35	1220	powershell.exe
Token: 36	1220	powershell.exe
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1520	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1520	Ultimate Tweaks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ultimate Tweaks.exeUltimate Tweaks.execmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3508	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3684	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 3684	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 1668	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1520 wrote to memory of 1668	1520	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1668 wrote to memory of 3564	1668	Ultimate Tweaks.exe	cmd.exe
PID 1668 wrote to memory of 3564	1668	Ultimate Tweaks.exe	cmd.exe
PID 3564 wrote to memory of 5056	3564	cmd.exe	chcp.com
PID 3564 wrote to memory of 5056	3564	cmd.exe	chcp.com
PID 1668 wrote to memory of 4120	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 4120	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 3056	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 3056	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 2740	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 2740	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 1220	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 1220	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 2088	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 2088	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 2420	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 2420	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 4904	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 4904	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 3688	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 3688	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 4000	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 4000	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 2268	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 2268	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 4648	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 4648	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 1592	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 1592	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 3056	1668	Ultimate Tweaks.exe	powershell.exe
PID 1668 wrote to memory of 3056	1668	Ultimate Tweaks.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1668 --field-trial-handle=1728,i,2206644298330825004,12810255971596741461,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:3508
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2008 --field-trial-handle=1728,i,2206644298330825004,12810255971596741461,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:3684
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2396 --field-trial-handle=1728,i,2206644298330825004,12810255971596741461,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1172 --field-trial-handle=1728,i,2206644298330825004,12810255971596741461,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8dbbc18f4a335b35868373ad3a0cff79

SHA1
cfb8388b8865c1d773711aa1119b8e54caf551cc

SHA256
66f7c6207155d64aaddc5435df6cbb1ea42eb70af306786eebf1eb6e0d689f86

SHA512
9392eba8bd7a210efabf1d8e026cea34e01653a677958b0e5c0e304f7b5a1c5d58637990df24b71be27781178e326f1435661b48b7add18175b7cb68c2e32a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5a9af550cfb7e529d6388fda238bb680

SHA1
505f73a0e58622f52e35a8fb0016d4307189d3f1

SHA256
65871b63ad5fa521b2b646056ecda5ce8404ab3eebe16bdcee34078fcac20dcb

SHA512
fff4dc4a284a1b9903cff398047cf345d94a37ecac83bee49a2ef42716bb6a9c6485861b9dec8e92e1961ec873580b0e1b9d64d75eb6792f50d6025eb8075d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c58815c74bf6f47ac80bb9c412fde50e

SHA1
51c05f84cde827feae41403131f73f49eabc769d

SHA256
8056b36e544e7968ce4c020a4d69b67402fff68af49436d8196f2bc4b0971485

SHA512
4550608324690d8c69edd174310975507c7e7290fac2adb98177f8f17fae10f04c1c9d7009af3a1fdce3df320ad19a9e0e45650640b0fefd8694e55d4a779c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
29b5db33e1eabd106f50098ea03eff40

SHA1
9ff886cc2c15a641edcc014beae9f0ddb88ef02e

SHA256
783b10abe2769fcf7ddd863acc526d4890c3b4575c4749b53560db053a24df7a

SHA512
f4626910ec6af7e0f847d0ebec2b5acf9fc5a509a7abeff0c4c70c9be5b20b3a70c2580719958b8669c3a92396e369f15a3169265d793fcbe10e2306eae90058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
104B

MD5
3cdf0bb654431d507451ccc3d906fe3f

SHA1
adfabe72aba8f01a27f77ca35396081f6e12ebe0

SHA256
669bebb6086fb3e2f63d49b364e6a27f853e216dd0f24f9f94b2f957a72620d9

SHA512
f20dbc1a796bd2574397f108d3de3afb2496c4b4ff1990ce653469c1af2c867b1da280c0e873ff16c215b7ec7429a34a6738f1295eefa3d3ede9f5a2d57111c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a63ffa552446e241492fb98d80382644

SHA1
1a4d25cf8187bc00a66db0254abd963e72165795

SHA256
ecd1c98607751a2881b937b92114f54e1156d0c559fc70e96db5a501b51a81e0

SHA512
379046a39d21ca2b6a3a737b3e11d3f72466b8875f81b8a3cfdfca9e928036a14f29fefe6719a2493304dca77eb6113de40940727a69c15e3f7010050ece0821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ed662e17c3146604de83d9803f961314

SHA1
1f7586d42b7e8d745df4df5805b29d82f5920026

SHA256
2b13c9abece19514d0599ebdcec7ed9361045d7739e9e9d64bf4b417660b9194

SHA512
84fa7130d730e95d388b9327fd742ab12f407f57d75cc7e372641ab23f2903506aa477f0e2b3504dea04542e3aab1973c5e32866ebac90dbdd615f7119799c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
104B

MD5
e0fd907559e26d1cfc220a0619bcda74

SHA1
bb896e4ea8a914417f4107c490730037bf7a4f5d

SHA256
c212a791ea66edb958f897f5274df86916619d30950626aea2ddf097c85fd243

SHA512
3d30a3144dc2d6d0f755e6a1df7acc7cb3731c333cdcff3c03b25089d7c8ae20483923d218cdbf987aeede31f29022dac2d7bb977244d636161a8e9593701612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
47d3192e3f0bff05c0a7f58d92242551

SHA1
71b24278964aeae79d7529a8e550fced5c7341af

SHA256
c24bde0f7d17546dc4f4ea4b71c0f32f65869346839b078f769bd52e80d39d02

SHA512
b07e0e6421ece801ff340e7e64f5fd801a5ca5982458d406a7a34813d63170834490c44ece8e716d5b260b5dc25697660529e3b3e1f371ed5c8aa9593ab07c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d5cd05e396f72be1f37a500cfaa8c268

SHA1
aec89951286565bee48f7a50eb0175042296637f

SHA256
d111416eb6f1b483916bb32fe0e96750d187831227b560a23af55ca03e15d57f

SHA512
47e5a35b7a30834af50cf7869ebbab9aac9e2ea491fcb0c16738cee1ce25ddc7cda156ed4e23a039552027752025765e9185f47a973fd69988a1b8318e4b7eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
176B

MD5
cb7fdde589c625275e844ebbda74b57c

SHA1
56a447ddccc838ecc25a48e68c35befb216dbaf9

SHA256
ab94e284400050eb9e33149c3bab63ce20cffac31ab721676d9e1c5220af4562

SHA512
3fe1d0c26f9ed12276b3d93c239242fb6559ef3e1f8263a3913ce99e2ecc8e38a49278e9e1378e9b47e02fb0c2497757d99f7350ca5465d8b7d9c283fc37e68b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
6b8324ff9b8b480e5af320b17234e961

SHA1
75ea4cdb1406073f55280fea7f9409abf8214c8c

SHA256
3ab496f0c0bea27beeb465e519677e273a35ecce40d8981eadc24fd51917adde

SHA512
7906e4fae229d29cec7e5356e62eb68ac43bb55525146124f874f6d37b26755fd7cdd915e9b9b06057d1a5125837cfa2e80561275897960c70de2713d2665309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
4c35d109cd1a533d1060fa6428e3f729

SHA1
e0eba53fa9c232c9ccc8365b98582342c05051d3

SHA256
e223bece0470aaf31ae6a7bbcb5e392b6d643c124312581e22ca8597d153d33f

SHA512
75115e89f3f568751ee56dced86cf093de67e808872f52af0d907ea260ffd00dc726125eff6760125dc5abbd0dce8a412e5819e37debeacba090c8cbee1bb3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
421dfe550cf5c58fe7d3632be38a2e13

SHA1
58f012a1bf72e4968c6eeffa537aac0261272467

SHA256
ac4d373cf9674d34a47ae79350bbb17677d88972f0d065efdc2194e4027a139b

SHA512
27b529674fd023ae68bbb2295ea504b3001df01212619eecd5820dd1ecb2c21b36199c9473eb75b2f8c24e3b856ea4fa08f17dc37f31e623ad96053e63f48876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
3be9b9e51698320663f73b1f8f01a4ed

SHA1
2bbc5dfb7df80e0ba262dbd58a2402fe11c8d4ba

SHA256
b782cdaffcef8a9b747fb638091d9dd4ebce158203f229d009f66e0b49298f08

SHA512
a197ff774b8ef14407d72efb032d55fe6bdceae0eb4b52315d01c4bf7278ebe00739f508a99d6d817d9f7a4a6e4d62b39bad8434f23692bc4022fd37299b9d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8712a0844adc9dd6d6d84a122bbf280c

SHA1
dd2f42d9dda1a75bebf1573f51201644bbdfa13e

SHA256
80e6d1e2dad5aa8e835fdd98ad1f64efeebedab9eedcd35ab77c36119fb5e47f

SHA512
ea32b52a0774455795d4796182d32d40bf577c990170b6b544f739e5508357e2346249d6149b1edd1739f5fd4d503721b502aea11b8d482e76ad9192c1d13b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
104B

MD5
d734c8095d41210e80e6bd82a6933e93

SHA1
939bd566f5082e37dc950a468f70bba51dc32624

SHA256
30452104e27f755b1e8cb62adbc8cedcc5a69a5fe4ab1357b375c40227e0feae

SHA512
89ad7d1c133a59ee425974f39d62f8bac3744ad831a17b067077a69eba0a5595ae69279831c573f5ddae8f4f5465db953db30e633c032b7da60bb1bd0a1f5ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ecf07b048d6ee44fc1740a9c6d716ae2

SHA1
02e6d3116a706486a38100f7633bb78b5c6d15b5

SHA256
ecb062f707cf5a4e81df37e42615abe0ca79d90afcfee28fff6153e7fee3a157

SHA512
4ac96a4cd162e02d9abb3be868d9031cfdb4c1f7761ce81061873ce491cdb0706db51137df4670a83ff1a6df143df71357c23d94695b28b0b84e82a19d09b634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
cbdbd2310b8f504c0d6dcd0130666ed0

SHA1
c6dacc1aed1060bf622c7b4eb40dfea769a6d95d

SHA256
a8a26dc016f7ed98f7c20d3a19a17c20bc357671caf801a2071770c51de144dc

SHA512
f1f89b56cde22f6caf302095f5fd44414f74b98edafbd419fa26f7b6ee5f8a63442bf57703a4ca3971166e62178824c2fc56b29b847e1d4c0ed496aa7840619d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
b53f8cb65f7a4edb408ff4bf05845a39

SHA1
96e1feb6b28c43f9663dbcd06c86e40e41720713

SHA256
d959ead78917087e70d72425b7da352277221e16227ce63a07b5690bf2f97839

SHA512
7af711c160c22d97393a5ba6e7a3cad6050bd03bd77d30464da3aaf9d31c668b3a999421144c0568dc2092ffb308a434670db79df81dd4af185f96283302edbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8e2c19fc1edc33914868048c8414d7e8

SHA1
9f213ad6260c97ce083b37d8cff24fcbdf31cc52

SHA256
1a4bcd7c82e7e763f036fb3471be5e0014187ff51abf2b07de96802302b64aa2

SHA512
1a6ddb46f811ca5ac03f34008b4664b4230b66b2410051ac5701d9f80e4bc4bce71e0b95534391d5ec4bcc46fd0f0113382fe5905dde336abf864d7a8fb9df3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ab877a88e00e3ce41ab11b2e4fada508

SHA1
2bedc874090ab00779c8457cada439eeccb0d597

SHA256
a9e74f3d1752c23ad85b75bfc6384d9fc19028ef8097aab93d5edbde9bd93885

SHA512
5a6e9ed1c57f4a3ed8b02e949530038596d4723884f35436221c239f09fb2ef8bb46d551528e28b49701cadd9dc62665c0e80934f553adda0be2cfb1c1f31cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
708261917fa74746d0f995cfedc6ea49

SHA1
841126a2707dab04d21d0eed69f50605dd2fc9ff

SHA256
f5e1997de3937a16df783c011390f226604f6f004cafc295e36e3ec5b6403ef1

SHA512
b9d9e5e0a459251aa99243d0401f40453095fc7a9106c848795b4175897a5ed1a072dff2c53c2c651fd264680736825b0c02aad8af87be7f8874ba8203069f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
901d8e3b89bbfcf56d66084d7aa88327

SHA1
2b113eb7841f63fbcf8e0284a5d0f1fcbe6a351e

SHA256
6728c35f56b73daba878fe8eae923420c0686ac3daef799d247e482e9163eafa

SHA512
905971d9c8162c7dce220ae8ef6906427909a8fb0bb021d2a2c1cda21817c289f7f8856fcb105807790ffc27b88c19cbeda787235f577a433ac4b6d0167f365e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
3db85811c8329b383a8149c486ed35ce

SHA1
ff0b91432c0a0f500ced2b723fb0bf0bd6d3294a

SHA256
0583b26e4ebb2d0a45f250d10744ac8c83b5dcf8267daae4f5b4cb06777464de

SHA512
c5b64bf5c3444cd458d6c4370e0abc0f442470bdd8b6917dba02b797f6a803acba23b0eb2e5df4534e09019c7211b1646a6843d52047c12fc9656f3eaa20e5c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
176B

MD5
1932b2befd023771d6ae20ec2b751d67

SHA1
fa663292be7f95ac56797173d6b49c747e0eae4b

SHA256
13c7101180418b09a529ad4b5e8437427dd510d13867074707e2acff1de6ea25

SHA512
ab184d4e5f337507a6bf4c412762c59c3a0d0bf6e5be7c643e67c691710508a0dda69109175c36b650c68b591a3203167c438bb8824c13024b14b502f5d5fb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aa3db0008a5e3364a61a1319f6c9843f

SHA1
dd425033356044c62f62a498c273df393b0374ba

SHA256
2c2ade2708f5bdb20ccea96c24a4d3ee4a5989750dd07b8ad308e410d58104b8

SHA512
42ff9795a566257a951de4cae6667541fb50e2edf89bccff53dfd24edf07af53f6675fc0b5a79946bce6acebc6cba2c063937f90721530be47548bce03dcc4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
9f50a3a541c96ed2f7a3166d78454420

SHA1
d229f526a1e721c55e2ad3f1ce776145356675d2

SHA256
0e760532df8c8a7640b9655189601c967df977715ec12344ca72b0aa44e06d2d

SHA512
732efc4a61a36091669380e66987f6497cfc2a0b550b4cfa571d32237eff05cbacfcec073e47389fe4064962008d071fb54954c97a5cc18a20df1211532622ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
9c420cbae27fb930a5ff4b8fb2296fee

SHA1
f8b306e745d2b6c50752613a95f3fc0e9db0c35a

SHA256
3d79e149ed087178dbbce516388d690d46fc57012d9e5993c789c6e798ad8243

SHA512
376afedbda647c17c603847833fa12a7ced7fd5147116a05f63d7e3a29c7d5abceaf761ac5fc3ac6558140f37be31108baf5b134f9b92498836af0a67bb5da01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
104B

MD5
497b9c315ccf338257cfbb11bd51efc4

SHA1
7198c894016f8f5186b339e080536588ca13bfe5

SHA256
3e14f18f7c6a78c5092731f529fd0a009438b42fccf11d4c448e716c5011b743

SHA512
39dd70decd04d201d00cee0b44b317448f020215c0054e2bdd5914e6671ee98d565661eb16603492055b96a9aceaa6531d6f195f28e171614adf1cc7e8044b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
4c5784b6a1c46e98bb6c3b6e709f19a3

SHA1
5238f04b42da9756f87154a85f20da680b11977e

SHA256
596baf4fdf7696f187272236f4ec6de74a1b08a6aa8dd56edf58a1a64e68ba8e

SHA512
302199b77dca6fe13813d384261839f3f6a9c2ccc3e53c237aecbdc6b5cdcbb6656c07b7547178691524a998af0fd9d0c070beb6c78781001eee0b4ee7d8d64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fab3d1af8c6d5363dccfe85950391fce

SHA1
0cbfa77fd1a7ad4d0515b0505e7dd732f2d31e87

SHA256
ac20a3e877e928c28eeb70de43f9d5fd735225bb0323db2e14f6cc6d72d4b1b0

SHA512
9847bd516f6cda348132c950ca9e12689c0ca79af071d0e7e294bc029cfd96c3b18b8a825622f45d591e18a1d02ae73f5e6798fdc875f7b0ae78ba97a22e804d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
732661607e227e1baa9931e775ed624c

SHA1
ddb51aed6ba239685276a89d16f704f5f087e3ba

SHA256
a82831e7990095ac0b19e4fe315414817b36adebddd910d2fb29fd40f3c7ee00

SHA512
216d45db31f0721d81e4a617d9c7eaebe9461ae3807906fa8b3fb304c7b4b9fe76b8d80e34724e960b89ea8451c1d0454c2f6ee8d30442a85da7fb35572111d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
203578c524241598fcc45ee5d448204e

SHA1
14cbb378fcc13d5706280e2e4775bfe07467c3d3

SHA256
aba661b082cebae8ab0a7d9375fae10e3cc87841689552a465d9cfff4d5f630f

SHA512
1d2e8c1a189cbf72e66da2196c4466c1a2b9a04fa216caf545d6edb79d8b7bc2292eacce2fd3b3c47bd07ad0512096e51365f14ca76803036deccc2fc673f8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8efebfe29e59f201005bc9df29f75ab1

SHA1
4390a74c1b3617e64897d42209d2b3627ecd57a0

SHA256
2b08807b745fc13505838906db90357dad1a150146318b0a1bcfb2e492eeea21

SHA512
fdb7ccde30f31185a3cab89a3f43b3e97030ddc910fd88d49c65676968079e90ea11d4d1f0054868184a3f3261ba034dde9064b1fa1327d76564e289b1af6e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d67d83cf27520543a54f3c65a7c51aea

SHA1
63f03bd54a9d95bfc279d040af95a1b0c1711893

SHA256
77f080d815a42f896f34265874e8940fe76e1e97831c0a4f58493667e7fd9291

SHA512
240912c7569d0660aabf1ecb4e43fe5879ffed4fc7091a2aaa21a3a1db2ba4441bdf4d3e3fa116d54e8f52ffcda64001a922b626d4605c4e6e03f5e13de4feaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
104B

MD5
393ee32f193c373ef178207346fe7a37

SHA1
a34328e5569d6653e89098585ca929a370703840

SHA256
0152026317860bf57ee02d6248c3db3b054cbda85adb54b6b4f2c5e2d4755714

SHA512
be8a1fb45418ceeb96ea26e52c26c71d12e544493c81e541fe413fe2cd84d81c758540e09486895fae8491f4fc7fd0f1b2a066e3a0414eeb84073c601efe96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o25khtpz.2l3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
967B

MD5
92a06e673afda269ae0ac27ef0ab5bc1

SHA1
1b4b85afd6a193ba8e52f049e062baa010c649ab

SHA256
1824ed48375545735d6e2808130f50176344e202ec969c6ff4a1af94eefde0d6

SHA512
3b3333c8c269df261d1f2af99761c122dc1c644e67e292f73444779b6a790ad87733cce7636471c6c631368bfcb3ebfbbfc1ba48b8b39d247b0283e53c05c353

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58af75.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57c37f.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
memory/376-740-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-734-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-739-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-738-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-737-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-736-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-735-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-729-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-730-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/376-728-0x000002698E270000-0x000002698E271000-memory.dmp

Filesize
4KB

Download
memory/3056-96-0x000001F7C7ED0000-0x000001F7C7EF4000-memory.dmp

Filesize
144KB

Download
memory/3056-95-0x000001F7C7ED0000-0x000001F7C7EFA000-memory.dmp

Filesize
168KB

Download
memory/3056-70-0x000001F7AF220000-0x000001F7AF242000-memory.dmp

Filesize
136KB

Download
memory/4120-90-0x000002BCFAC00000-0x000002BCFAC76000-memory.dmp

Filesize
472KB

Download
memory/4120-89-0x000002BCFA910000-0x000002BCFA954000-memory.dmp

Filesize
272KB

Download