30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultimate Tweaks.exe
Size

168.2MB
MD5

02c4b9609f04037960d947113bc2a017
SHA1

b593fc590fafb5e11ccceb199ff405874183c4e8
SHA256

3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
SHA512

d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
SSDEEP

1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ultimate Tweaks.exeUltimate Tweaks.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe

Drops file in System32 directory 2 IoCs

Processes:

Ultimate Tweaks.exe

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Ultimate Tweaks.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Ultimate Tweaks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2160	powershell.exe
2160	powershell.exe
2076	powershell.exe
4976	powershell.exe
2824	powershell.exe
4284	powershell.exe
1060	powershell.exe
4212	powershell.exe
3396	powershell.exe
5060	powershell.exe
3972	powershell.exe
1188	powershell.exe
3536	powershell.exe
404	powershell.exe
4524	powershell.exe
4476	powershell.exe
4168	powershell.exe
216	powershell.exe
3524	powershell.exe
836	powershell.exe
3568	powershell.exe
4536	powershell.exe
4536	powershell.exe
3376	powershell.exe
4552	powershell.exe
4780	powershell.exe
2464	powershell.exe
4672	powershell.exe
3848	powershell.exe
4856	powershell.exe
1696	powershell.exe
1572	powershell.exe
4676	powershell.exe
2352	powershell.exe
3992	powershell.exe
2668	powershell.exe
4032	powershell.exe
4332	powershell.exe
788	powershell.exe
4344	powershell.exe
2160	powershell.exe
408	powershell.exe
2976	powershell.exe
2864	powershell.exe
4952	powershell.exe
3540	powershell.exe
4380	powershell.exe
2200	powershell.exe
2340	powershell.exe
1212	powershell.exe
2288	powershell.exe
3696	powershell.exe
4196	powershell.exe
4724	powershell.exe
2908	powershell.exe
2760	powershell.exe
3336	powershell.exe
2036	powershell.exe
2036	powershell.exe
2044	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ultimate Tweaks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	Process
4168	powershell.exe
3540	powershell.exe
4168	powershell.exe
3540	powershell.exe
2668	powershell.exe
4032	powershell.exe
2668	powershell.exe
4032	powershell.exe
2036	powershell.exe
2976	powershell.exe
2976	powershell.exe
2036	powershell.exe
2160	powershell.exe
2864	powershell.exe
2160	powershell.exe
2864	powershell.exe
4536	powershell.exe
216	powershell.exe
4536	powershell.exe
216	powershell.exe
4952	powershell.exe
1572	powershell.exe
1572	powershell.exe
4952	powershell.exe
3524	powershell.exe
3524	powershell.exe
1212	powershell.exe
1212	powershell.exe
3524	powershell.exe
1212	powershell.exe
1188	powershell.exe
3536	powershell.exe
3536	powershell.exe
3536	powershell.exe
1188	powershell.exe
1188	powershell.exe
404	powershell.exe
4332	powershell.exe
404	powershell.exe
4332	powershell.exe
788	powershell.exe
4536	powershell.exe
788	powershell.exe
4536	powershell.exe
4780	powershell.exe
2160	powershell.exe
4780	powershell.exe
2160	powershell.exe
4524	powershell.exe
3376	powershell.exe
4524	powershell.exe
3376	powershell.exe
2464	powershell.exe
4344	powershell.exe
2464	powershell.exe
4344	powershell.exe
2036	powershell.exe
836	powershell.exe
836	powershell.exe
2036	powershell.exe
4380	powershell.exe
2044	powershell.exe
4380	powershell.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Ultimate Tweaks.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	4168	powershell.exe
Token: SeSecurityPrivilege	4168	powershell.exe
Token: SeTakeOwnershipPrivilege	4168	powershell.exe
Token: SeLoadDriverPrivilege	4168	powershell.exe
Token: SeSystemProfilePrivilege	4168	powershell.exe
Token: SeSystemtimePrivilege	4168	powershell.exe
Token: SeProfSingleProcessPrivilege	4168	powershell.exe
Token: SeIncBasePriorityPrivilege	4168	powershell.exe
Token: SeCreatePagefilePrivilege	4168	powershell.exe
Token: SeBackupPrivilege	4168	powershell.exe
Token: SeRestorePrivilege	4168	powershell.exe
Token: SeShutdownPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeSystemEnvironmentPrivilege	4168	powershell.exe
Token: SeRemoteShutdownPrivilege	4168	powershell.exe
Token: SeUndockPrivilege	4168	powershell.exe
Token: SeManageVolumePrivilege	4168	powershell.exe
Token: 33	4168	powershell.exe
Token: 34	4168	powershell.exe
Token: 35	4168	powershell.exe
Token: 36	4168	powershell.exe
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeIncreaseQuotaPrivilege	4032	powershell.exe
Token: SeSecurityPrivilege	4032	powershell.exe
Token: SeTakeOwnershipPrivilege	4032	powershell.exe
Token: SeLoadDriverPrivilege	4032	powershell.exe
Token: SeSystemProfilePrivilege	4032	powershell.exe
Token: SeSystemtimePrivilege	4032	powershell.exe
Token: SeProfSingleProcessPrivilege	4032	powershell.exe
Token: SeIncBasePriorityPrivilege	4032	powershell.exe
Token: SeCreatePagefilePrivilege	4032	powershell.exe
Token: SeBackupPrivilege	4032	powershell.exe
Token: SeRestorePrivilege	4032	powershell.exe
Token: SeShutdownPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeSystemEnvironmentPrivilege	4032	powershell.exe
Token: SeRemoteShutdownPrivilege	4032	powershell.exe
Token: SeUndockPrivilege	4032	powershell.exe
Token: SeManageVolumePrivilege	4032	powershell.exe
Token: 33	4032	powershell.exe
Token: 34	4032	powershell.exe
Token: 35	4032	powershell.exe
Token: 36	4032	powershell.exe
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	4300	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	4300	Ultimate Tweaks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ultimate Tweaks.exeUltimate Tweaks.execmd.exe

description	pid	Process	procid_target
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 2700	4300	Ultimate Tweaks.exe	84
PID 4300 wrote to memory of 3728	4300	Ultimate Tweaks.exe	85
PID 4300 wrote to memory of 3728	4300	Ultimate Tweaks.exe	85
PID 4300 wrote to memory of 1244	4300	Ultimate Tweaks.exe	86
PID 4300 wrote to memory of 1244	4300	Ultimate Tweaks.exe	86
PID 1244 wrote to memory of 1836	1244	Ultimate Tweaks.exe	87
PID 1244 wrote to memory of 1836	1244	Ultimate Tweaks.exe	87
PID 1836 wrote to memory of 1924	1836	cmd.exe	89
PID 1836 wrote to memory of 1924	1836	cmd.exe	89
PID 1244 wrote to memory of 3540	1244	Ultimate Tweaks.exe	90
PID 1244 wrote to memory of 3540	1244	Ultimate Tweaks.exe	90
PID 1244 wrote to memory of 4168	1244	Ultimate Tweaks.exe	91
PID 1244 wrote to memory of 4168	1244	Ultimate Tweaks.exe	91
PID 1244 wrote to memory of 2668	1244	Ultimate Tweaks.exe	95
PID 1244 wrote to memory of 2668	1244	Ultimate Tweaks.exe	95
PID 1244 wrote to memory of 4032	1244	Ultimate Tweaks.exe	96
PID 1244 wrote to memory of 4032	1244	Ultimate Tweaks.exe	96
PID 1244 wrote to memory of 2036	1244	Ultimate Tweaks.exe	99
PID 1244 wrote to memory of 2036	1244	Ultimate Tweaks.exe	99
PID 1244 wrote to memory of 2976	1244	Ultimate Tweaks.exe	100
PID 1244 wrote to memory of 2976	1244	Ultimate Tweaks.exe	100
PID 1244 wrote to memory of 2864	1244	Ultimate Tweaks.exe	103
PID 1244 wrote to memory of 2864	1244	Ultimate Tweaks.exe	103
PID 1244 wrote to memory of 2160	1244	Ultimate Tweaks.exe	104
PID 1244 wrote to memory of 2160	1244	Ultimate Tweaks.exe	104
PID 1244 wrote to memory of 216	1244	Ultimate Tweaks.exe	107
PID 1244 wrote to memory of 216	1244	Ultimate Tweaks.exe	107
PID 1244 wrote to memory of 4536	1244	Ultimate Tweaks.exe	108
PID 1244 wrote to memory of 4536	1244	Ultimate Tweaks.exe	108
PID 1244 wrote to memory of 4952	1244	Ultimate Tweaks.exe	111
PID 1244 wrote to memory of 4952	1244	Ultimate Tweaks.exe	111
PID 1244 wrote to memory of 1572	1244	Ultimate Tweaks.exe	112
PID 1244 wrote to memory of 1572	1244	Ultimate Tweaks.exe	112
PID 1244 wrote to memory of 3524	1244	Ultimate Tweaks.exe	118
PID 1244 wrote to memory of 3524	1244	Ultimate Tweaks.exe	118

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1716 --field-trial-handle=1720,i,9033808949869745064,16639947712996666332,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2088 --field-trial-handle=1720,i,9033808949869745064,16639947712996666332,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2380 --field-trial-handle=1720,i,9033808949869745064,16639947712996666332,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4552
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2676 --field-trial-handle=1720,i,9033808949869745064,16639947712996666332,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e96dc65a229cd72bb1bf95b7bf6b4b9d

SHA1
998615cfb5e337855483b2b98bc2f4cabc9d143d

SHA256
d03574e0d79d0356100286789c17f26b589ec3f6e28bac221d414d17c58dff38

SHA512
a08256a69e38dea3859cb9c82f803269dcd429e5ab5a9baa566b59ab93eb4162b6e9c25b7527c6991f7e76679fcfb9fa5ca36865f99115b721bfb6a0476f58fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
4340a30f68218ddfe3f4607e43de175e

SHA1
3d5069496727db57b7a649d93c57a401ed42fdb5

SHA256
1da28b592c64321c377b8d87dabe8288570ac45d91b1a9525d402128a4d4db0e

SHA512
868b0b1822b078aa1c4defe67c1a4126891ac9c11101f9dc47b00030747479016d5a4f9d40b07660b146ede01257270a605f5f3800127da5973ae2d6020ec47c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b2f893ee1c18552eb8746170064e3ea7

SHA1
c4aadcca9ff38a9307649b5d887fa6111c052891

SHA256
c91360651b2486d14edf8c07ad1ff6a6b313752aaa18556e0483254d5d7aedc9

SHA512
b91b5553bd45abf1e0bde44a56c52122881a3476bb979ac55b4f601ec158b6e510d07f1186dc87813bcda8320fb0e097cd00ac43da669d9ee528305989a78f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
f9200419b7cf8c7e63cc4b11522bef62

SHA1
9e46e77d9d2fe883de78e96c2ce92ad78a00fd99

SHA256
fd56542718ad3d9aebcc03dd720928522aac1a87fe3555361f48ed0e28d4951c

SHA512
72277d721c57c087b2deab4e77fe28762d0efc8a234a723e767e7e1a98eb04c34b8b291ff82cf884252e1e025766742c2b804738268d6fcb6cdb6c7b6d835e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
916ccbafd033f20c99442a42f9346cc9

SHA1
6483c968911c9a8d6614140686a098e08bcda6af

SHA256
59a20dd9f87484d2b240c5e1c4bbe4e8e408b9b9217bf373f2774b03945d8402

SHA512
27b52a546949adf962f3c56bd712efae8008c449d7df4778803ce92214043add4263ce2226abb0067f169f13a95517c87d8b0b09f663100ebe32e448dc465ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
894c92e8c4731a47199bb9e99b34610e

SHA1
01a8e4de00a1750e5ece43801e1034264130c979

SHA256
a2aac182665b044899a2204391cc55b2788ac969406c05acf533c6cd319f5624

SHA512
d8979f3b4a612b987ac3cbe9d231bd1d04e0a8a4633c82cb07decf35bfcda954f9424d1c54596c7a334223a30e43bb372d70b67974f8663c3befd8ffdd6c16cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
9cd5eee5d28d1670c829135fc927d34d

SHA1
6346e11092ef245f1d5ab62b956cf0ba2de7604e

SHA256
e752cb13a8d41e4c933eb20cf1f54f0ebc1ba547e0cc55f8d4c1b405dc68a108

SHA512
0f7225960752730f8b310ccabb87a687464671d9fc00f486bcac4869d322826a13ce37665b90388a6018c33fe2f449801c11fb017c3ad4b00c5f92b5379116bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
cc90ca85322ba80fa1fe16af639a54e1

SHA1
916ecdb7a1d604ead67d2b8cbfa7de81b8e11f62

SHA256
bfc2121afb621e541c12698b57711807de5c2767b55aab03c6786abf2e872743

SHA512
0e7fbecfe7f4fccd555fdbed8401255808bb72f9fb19145ce510c83f0585707c85614b99cc97fd8b5bf5cda561b25f4edcd3ac1c14dbd47c25fe50cfc2cc7d76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
3335481a2acc3540e9fd4fb37f228bfd

SHA1
9dc6d5a99d3ca92834f0b25c76d78cec78efafc6

SHA256
f6363a1f2006a4682d5537b020e25d6f04ef2cfb07e7f7a683e15493338607c2

SHA512
669c10b0de8a88991b3834873632e52621ade8aae4c93322def83082eecd75bcf8d72d8d2f5639d307a5aae731d2f363debfc77197700689ec1b3d5e173a13c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ad1f1996289d72d947bb7617bb27d385

SHA1
6f3e8b992e393494458cd79c7a43efe9a5e166b9

SHA256
bde31a59e5784ff856f2fffc8a6711a25708c756bc40f80981f0fa8241d84b9e

SHA512
588bbb15259e90ddd5f2879e6020793bb6e4e3ab2bd15c168b59c144d4d7628fc5a0b07a52151afb9c0d94038dd51eeb84b791c4d191ad6cf612a8da273344f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
65e502211c39dc8c90323c6d6f81bb12

SHA1
80d5f9abb365d46e0c1c3543ebb31273a80efd62

SHA256
2ba6d400c14a0d5eee4f95446901944d2fc4d19a86b4e3032ec262658f77dba0

SHA512
5c755abb186c07698a392ce766335d8c14ee19a8aa6204a6c562d7eba4f301fc184d22dcced682734d4a7588711bd6d97e4a1ca6009379826c8f312180cf9c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
19ff423e629dafb4d19280b10f2f7736

SHA1
dc3bc39e1ed348b235317b8f15297f0697194eca

SHA256
fee44bdd5fa3abb0c66790c3fc637f56bdcb9be1a4413c361ec063bd7c987f14

SHA512
5250286d951ebef1e247d165a5147c8fad3079070b438271ddcb5bba0a22245d78f555d439ef888dd15561ddaefff93b7cc711b9229e14eda2696b151ca1481c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
50d21c23c3aed53dbffa136edba5481c

SHA1
c8baed4af52bb59e558f0ee580b3deb3a2dcc89a

SHA256
5972e2104e98b18f771c5289b25f17929cb23c8b8eaf2eae6487e87dd23a4e22

SHA512
b33f36b3a5b02685ef094d45c6bf85ef3414e004b952c5fe12c38cfed8575e5bb714957c7c13f87b5f0e4bcbae297c7885fe0d1a037c56d8eb588a42b77458df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e2b85af195d1784182513b6a070adb30

SHA1
db7bade9fdcb1531c43f9b1e513d29784cedbf8c

SHA256
923dbc1e1fa6842e82b3704fa29b37d3f7b3c66f4e7ee9d561f76f05892383fa

SHA512
8c0981c5843cb480c4c0bc3ec732cea2a59d5a10cbdc24cdd445e6ea60bbc938fc448626b503bb78ff5ead10f91bff862b86d4f361ceac4e3d12684c6ddcb5fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
64934a91be772ed99f6b3b795297db56

SHA1
4867f5554c4fb53af8c19924c460fda662abe7a3

SHA256
3a841d60232183561aa39b18648e54cd748d2b0e7efa758250050f3bd6ccb0a0

SHA512
2486e4d508e57c83298541e2ea4079cf9855c1c3a3a08c6455a5eda0ff68d2c50ccf0e476a689da243b59959dd0a5a01e9b123261ae2cf94b4b902ae1b94d080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2746973433b74a481c1c88575a4bc601

SHA1
e1538b39e2824d33cee491dce35b8d8a3e07488b

SHA256
caf458fbbf2af75dfee396e125843181972e06ac323ca1a3b3f846a5d0ce6afc

SHA512
b20ea06c078da062c592de3eb9f48c1363cf7b3fcf7f89a41b990d985040fa3823b2b956dceacd4688a56aa0b02fdc3cf254991d987a8c66db811118adc6f776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a6ffd90d3bd951f65840c4dfd8e257e0

SHA1
9d744a2f7ba7c3685880e2ed6d2555898db868b3

SHA256
32b9311d5f4faeea33dc5b4c78736950b55bff196bd93a49978b74b09e60922d

SHA512
99b869e2d7e49eba9b410b721e0364431ed06b9f0166fc6e68e3b59d9699b5f0fe3431ba534789105c3b703d61def02c3e15ae83fcde7c76af239257cd8a490d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
29ad6a0f3c60895b9a0f78765450bf5d

SHA1
6b7c0ce4155f676d0f1e10a6453f96a99d731124

SHA256
a879873735f50e92f328a0eef77de11e9edbdac99dad91f1790086292551d84f

SHA512
b2bb2588bad475a598d57d27fe9a165953f077d0876325e7e5a9557e7a037b56868affce01aa0cfaad71023a27e9fb439a36b971ff58fb99b5403c54af3f4f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
12127923e50b2b44b902f56ebf7ebff8

SHA1
57c3f9f0fbd24aa6a270462c702c4ddd273dd110

SHA256
48cff4ac2aa0021177f22e5ac6b80c0d2d73fd67e11710a55300eeff8c68105b

SHA512
9514d3e1d40dac6638d94061ec2324f971f970e678e4e79dceb8aa8d1da639ad8d13e18670e5c676311725e56f7fca10495f86bab9fa32ab427b060d50736d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
1ca9dd9714e35e46d6bc9ae5b796362f

SHA1
2081860e94563f1a429fba8fcafe9c76805c3a26

SHA256
ce00a347db09e1eba495d4b93ba151ebd2fdb6d3f36e68235cfccaa464736a6c

SHA512
ea4a6e5c36d872129fac9e0292b5815e08d2c27fb933564029c4570b351f79438eb0552ae376035a1da6c1fb33098459c92ef5ba168b231c5267af0cfefb6194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c755327838e254df6f60a929253d19b2

SHA1
f48c9ce0b100adce30610d832139f834d2da0acc

SHA256
e4efbc52665e183f6d509b0dfb7e8ebf1ee25741d03d77a5ad2e016bae7cc381

SHA512
7b95e26de8004dcf4951c4bd41dc667a3b3561f881e50bd3f50a5fc177820c681a98aaa9f597df0af43016abc8456ce22ec1ad2aa6ae1b42f89af0b12123788f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
058b356e697c06cf1103af4e252b7156

SHA1
ef9f2b76f2082a5b0f32f1cac59e8015265d65fa

SHA256
522f4ae07283fdeeb5bda892dc58045e2941d0124443c9ee2a642d9856f3e2aa

SHA512
4fe202a2eadec7be79a8ea8b1790ac7602fc96aa36279d3fcfd94a67d51cd45733e03fd31f51f5480cbae87a6e81e548a5a7913ceb461224b6d1695b4c1a121b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
254B

MD5
9e25b3c2d14c6b5d641f5eaa956f4d6a

SHA1
9e056319b588198f3c79da87ceda9a70d2652624

SHA256
338830bc745f1ed3ad51164ccfa3ad8a925289554179dd6e8cc9b4a369a40bef

SHA512
c540aaec58974fcbbc2950a2c2ac60183b73333ab9f8efcb4d83bce5377f7cffd0c5ed1c007d6c63c0ef1377cd6fe831232a5f64a5c6a3fd90085d4d0862e0b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5164a0da8221159bfdda5666f4b8f306

SHA1
58ae3f3b6bd23034fefe472a3959e2209839cb5f

SHA256
4c77381c3264c924df5d39f9e78470a43f598ae54f0fd40a3b80f6f38a65e052

SHA512
1817a6d47a8063a0a3f0365c53f1906655224207e4a5a3c2f91917622eddd3009772c9ce4ae398ebbb221af3b5685f609d87e4038d4bceb8ff84fb8ad4cda976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
307B

MD5
35cf5bd830c49f10f9951f9d396db4e8

SHA1
79d2bc8443dcd4c4ff7bd2afa527bc9af13e2c54

SHA256
73ba63620e48c99578a0bf8ed7a30efe9b5e0311d986263c406ae7830f4a4184

SHA512
157d74354ff694aa135aee1126890a979e9cc630f0b97c6a33a149f8ef35ac3ee00c384843c678e117232d8fd6ecdcbd0791276719ed4ed4faab765f67b48b0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2b71ab068edf606243fcc4648c9908d1

SHA1
2db4c900098ffe9d6e90a6eea7b7a9ea00585e1c

SHA256
ea3a32049a6c22da2d7a838b096640fbc93ba967168aa71374529840ff34456b

SHA512
45b07575ff3d889ddda165f1aac7c822e19367d3d4438aa0ab578105606b3c0f6f94a7632643029ae5a6295fcce84971af0931d664e1a410d638077e4134ed0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
576B

MD5
327f309af147dc81d6853b5dab419a95

SHA1
ed2949bbc6f5dd019c1dc350bb10d638dab4a782

SHA256
fc84a48398147eece7b5c4e79e73676282c758392f2deefb271bcc2241423895

SHA512
3c7b484ce9420d6c6cadb8fb8d0017c502aa52cb7bb66ef375f874d38af37030d1b4055999b735e7053980980337e2719b4027f7bff248252c9253080e8b8d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
cde265f78150f7a03a18365c0399b02b

SHA1
7748955e3e89a4529d0f114b559464125a96c9c5

SHA256
9e8179bcacc316ce13ba0aa2299ef7b14ef3194eed7cb39f39b7401b2a31325f

SHA512
c075beb945ae2547d614925b93787530c5803bf08afb1a2cbd2a1a37f987358ea114d4dcce91c3c99001683295b948d6bcd7e0644eeba4c3d2d09bdef7b8e346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
dc304876c9e2c4e631fd6e7cbcff390a

SHA1
81257837de85bc7ce7f6014c236d9bfe58255e74

SHA256
074940c219b020f22e73cb2f575ed9b8f004a5ba43f0f19b4ca51f9d9eaee1ca

SHA512
dd75325d75967fc1858b1449434bd5df98895e7d0c8646cb1c932bfc176da2ebe107ee86e40d3f3e3f2f929051e25cac8f79077c95f2024ea47b108cb81bd8ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
6769d5639f5292c078608df8e32246c8

SHA1
5ee731591df46a2d103d4239c824b762c49a1494

SHA256
c51b5322706b838b74e02e8074c040349eafa4eb6cb73e098be611c0c7f8be2d

SHA512
46de6b44dbcecd57996bae497b67bc9ab256170591edd57d270dc18aa59e6830be512d629c55faebd062a15693cb222bc096444f7975d5b77b9a59600b3ff826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d79846e79a8aa27b41b388ae4661023f

SHA1
7efe51ab66d2934f8a2692f796926457e721310c

SHA256
b1c909865885b11cee4a6e5f6d9cecc2e135e11a94368c43d54499d16f0514bf

SHA512
e3958e7f84223acf12435da2a6479368f3db08d93e0e66bc9e367231fe5b71f1a1cfc8486a5591d8d12ee024769446889ef70473f531041cca06ab3d06a88682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
baeff006e12bd6b04f7b9e818b354433

SHA1
6cddc1e09a1b165532219c56334fe53aa7b0f886

SHA256
2c14e07ae5b7e76ea7cf27725a9586b6fea339a712e0f574d6830e334c899ef8

SHA512
4ff3dce4d9cffe8c31297263a29fed6c802fad56b0d307b6c582598fd9ce2423727db81d9b06b0f535d01cc43851bc4cfd68a17974972886f2a310ef35160100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
50d32ecb20c150cc8a43e421f6eaf41c

SHA1
a8b7057c51b56d86d05ced1b7718a66f21f86748

SHA256
2467f1925f084c00d53d55abfad64256f291b44a33b67762f4fe97bc9896bb74

SHA512
0e2ed3ea82d007b1f484c20fb34d3c778b41afd3af86f8994724630e5f62db925ed48d08cecad2176398770f1cf00b602865130ce2f30b82365b0faaae42fc33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
06f766407e517977b123ab1d05bd0f3c

SHA1
5fdc712311245f23684a615773e3fab8ea1a2c19

SHA256
58d7dccf2845fe88c5c29055f53afef4459de6d92acb1b82f9e68b9d5c5b52bd

SHA512
cce25436d1f95af73664c0653eb592351dd40cc5478b541ea572ba0904401fa796298b78f2e54247b71bd751bc9916d05a39d06c18496aea8f4faf9cc9112b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4luvbz3.usq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
966B

MD5
49d31e242861c37952e9a2d5f8f5e4a8

SHA1
d0c112374cc0ac3849e7508ea1a975784beeb288

SHA256
96a7baff0dbccccd172486bbfaaf0233c3c07a8863751e457ed1abe248b38ef3

SHA512
fb748e9d108ed0f24a6d3926572fbcd059f2c29c5bd4ea85513d87f499f3254c08f8fbd3abcb74c534a2a5a3d5534ed66df9f573acb6790c7edcfd95c91b7fec

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58c4e1.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57d87e.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
memory/2124-734-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-738-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-737-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-736-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-735-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-739-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-740-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-728-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-730-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/2124-729-0x000001DBC2F60000-0x000001DBC2F61000-memory.dmp

Filesize
4KB

Download
memory/4168-70-0x0000017AFD640000-0x0000017AFD662000-memory.dmp

Filesize
136KB

Download
memory/4168-89-0x0000017AFDB40000-0x0000017AFDB84000-memory.dmp

Filesize
272KB

Download
memory/4168-90-0x0000017AFDC10000-0x0000017AFDC86000-memory.dmp

Filesize
472KB

Download
memory/4168-95-0x0000017AFDB90000-0x0000017AFDBBA000-memory.dmp

Filesize
168KB

Download
memory/4168-96-0x0000017AFDB90000-0x0000017AFDBB4000-memory.dmp

Filesize
144KB

Download