30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultimate Tweaks.exe
Size

168.2MB
MD5

02c4b9609f04037960d947113bc2a017
SHA1

b593fc590fafb5e11ccceb199ff405874183c4e8
SHA256

3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
SHA512

d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
SSDEEP

1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Ultimate Tweaks.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Ultimate Tweaks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3544	powershell.exe
860	powershell.exe
1348	powershell.exe
2492	powershell.exe
4304	powershell.exe
1396	powershell.exe
1608	powershell.exe
2768	powershell.exe
2028	powershell.exe
3236	powershell.exe
2188	powershell.exe
2464	powershell.exe
996	powershell.exe
3376	powershell.exe
3264	powershell.exe
4612	powershell.exe
4508	powershell.exe
3724	powershell.exe
2864	powershell.exe
3640	powershell.exe
2716	powershell.exe
2960	powershell.exe
1352	powershell.exe
2228	powershell.exe
4352	powershell.exe
4288	powershell.exe
3940	powershell.exe
732	powershell.exe
4612	powershell.exe
1200	powershell.exe
1192	powershell.exe
2756	powershell.exe
2080	powershell.exe
1152	powershell.exe
2188	powershell.exe
4296	powershell.exe
3084	powershell.exe
1192	powershell.exe
3832	powershell.exe
4804	powershell.exe
5092	powershell.exe
1668	powershell.exe
1920	powershell.exe
1600	powershell.exe
2492	powershell.exe
4536	powershell.exe
2492	powershell.exe
376	powershell.exe
4492	powershell.exe
1604	powershell.exe
1744	powershell.exe
1448	powershell.exe
740	powershell.exe
5052	powershell.exe
4432	powershell.exe
3524	powershell.exe
2828	powershell.exe
4892	powershell.exe
4736	powershell.exe
3096	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3264	powershell.exe
2492	powershell.exe
3264	powershell.exe
2492	powershell.exe
4612	powershell.exe
4612	powershell.exe
3544	powershell.exe
3544	powershell.exe
1608	powershell.exe
2028	powershell.exe
2028	powershell.exe
1608	powershell.exe
4892	powershell.exe
1192	powershell.exe
4892	powershell.exe
1192	powershell.exe
5092	powershell.exe
4508	powershell.exe
5092	powershell.exe
4508	powershell.exe
4612	powershell.exe
1920	powershell.exe
1920	powershell.exe
4612	powershell.exe
2768	powershell.exe
1744	powershell.exe
2768	powershell.exe
1744	powershell.exe
2228	powershell.exe
2188	powershell.exe
2228	powershell.exe
2188	powershell.exe
4736	powershell.exe
3236	powershell.exe
3236	powershell.exe
4736	powershell.exe
4536	powershell.exe
860	powershell.exe
4536	powershell.exe
860	powershell.exe
2828	powershell.exe
2492	powershell.exe
2492	powershell.exe
2828	powershell.exe
2756	powershell.exe
1348	powershell.exe
2756	powershell.exe
1348	powershell.exe
4352	powershell.exe
2080	powershell.exe
4352	powershell.exe
2080	powershell.exe
3084	powershell.exe
3724	powershell.exe
3724	powershell.exe
3084	powershell.exe
2492	powershell.exe
4288	powershell.exe
2492	powershell.exe
4288	powershell.exe
3096	powershell.exe
1152	powershell.exe
3096	powershell.exe
1152	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	3264	powershell.exe
Token: SeSecurityPrivilege	3264	powershell.exe
Token: SeTakeOwnershipPrivilege	3264	powershell.exe
Token: SeLoadDriverPrivilege	3264	powershell.exe
Token: SeSystemProfilePrivilege	3264	powershell.exe
Token: SeSystemtimePrivilege	3264	powershell.exe
Token: SeProfSingleProcessPrivilege	3264	powershell.exe
Token: SeIncBasePriorityPrivilege	3264	powershell.exe
Token: SeCreatePagefilePrivilege	3264	powershell.exe
Token: SeBackupPrivilege	3264	powershell.exe
Token: SeRestorePrivilege	3264	powershell.exe
Token: SeShutdownPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeSystemEnvironmentPrivilege	3264	powershell.exe
Token: SeRemoteShutdownPrivilege	3264	powershell.exe
Token: SeUndockPrivilege	3264	powershell.exe
Token: SeManageVolumePrivilege	3264	powershell.exe
Token: 33	3264	powershell.exe
Token: 34	3264	powershell.exe
Token: 35	3264	powershell.exe
Token: 36	3264	powershell.exe
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeIncreaseQuotaPrivilege	3544	powershell.exe
Token: SeSecurityPrivilege	3544	powershell.exe
Token: SeTakeOwnershipPrivilege	3544	powershell.exe
Token: SeLoadDriverPrivilege	3544	powershell.exe
Token: SeSystemProfilePrivilege	3544	powershell.exe
Token: SeSystemtimePrivilege	3544	powershell.exe
Token: SeProfSingleProcessPrivilege	3544	powershell.exe
Token: SeIncBasePriorityPrivilege	3544	powershell.exe
Token: SeCreatePagefilePrivilege	3544	powershell.exe
Token: SeBackupPrivilege	3544	powershell.exe
Token: SeRestorePrivilege	3544	powershell.exe
Token: SeShutdownPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeSystemEnvironmentPrivilege	3544	powershell.exe
Token: SeRemoteShutdownPrivilege	3544	powershell.exe
Token: SeUndockPrivilege	3544	powershell.exe
Token: SeManageVolumePrivilege	3544	powershell.exe
Token: 33	3544	powershell.exe
Token: 34	3544	powershell.exe
Token: 35	3544	powershell.exe
Token: 36	3544	powershell.exe
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1100	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1100	Ultimate Tweaks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1888	1100	Ultimate Tweaks.exe	84
PID 1100 wrote to memory of 1972	1100	Ultimate Tweaks.exe	85
PID 1100 wrote to memory of 1972	1100	Ultimate Tweaks.exe	85
PID 1100 wrote to memory of 2804	1100	Ultimate Tweaks.exe	86
PID 1100 wrote to memory of 2804	1100	Ultimate Tweaks.exe	86
PID 2804 wrote to memory of 4132	2804	Ultimate Tweaks.exe	87
PID 2804 wrote to memory of 4132	2804	Ultimate Tweaks.exe	87
PID 4132 wrote to memory of 740	4132	cmd.exe	89
PID 4132 wrote to memory of 740	4132	cmd.exe	89
PID 2804 wrote to memory of 2492	2804	Ultimate Tweaks.exe	90
PID 2804 wrote to memory of 2492	2804	Ultimate Tweaks.exe	90
PID 2804 wrote to memory of 3264	2804	Ultimate Tweaks.exe	91
PID 2804 wrote to memory of 3264	2804	Ultimate Tweaks.exe	91
PID 2804 wrote to memory of 4612	2804	Ultimate Tweaks.exe	95
PID 2804 wrote to memory of 4612	2804	Ultimate Tweaks.exe	95
PID 2804 wrote to memory of 3544	2804	Ultimate Tweaks.exe	96
PID 2804 wrote to memory of 3544	2804	Ultimate Tweaks.exe	96
PID 2804 wrote to memory of 1608	2804	Ultimate Tweaks.exe	99
PID 2804 wrote to memory of 1608	2804	Ultimate Tweaks.exe	99
PID 2804 wrote to memory of 2028	2804	Ultimate Tweaks.exe	100
PID 2804 wrote to memory of 2028	2804	Ultimate Tweaks.exe	100
PID 2804 wrote to memory of 1192	2804	Ultimate Tweaks.exe	103
PID 2804 wrote to memory of 1192	2804	Ultimate Tweaks.exe	103
PID 2804 wrote to memory of 4892	2804	Ultimate Tweaks.exe	104
PID 2804 wrote to memory of 4892	2804	Ultimate Tweaks.exe	104
PID 2804 wrote to memory of 4508	2804	Ultimate Tweaks.exe	107
PID 2804 wrote to memory of 4508	2804	Ultimate Tweaks.exe	107
PID 2804 wrote to memory of 5092	2804	Ultimate Tweaks.exe	108
PID 2804 wrote to memory of 5092	2804	Ultimate Tweaks.exe	108
PID 2804 wrote to memory of 4612	2804	Ultimate Tweaks.exe	112
PID 2804 wrote to memory of 4612	2804	Ultimate Tweaks.exe	112
PID 2804 wrote to memory of 1920	2804	Ultimate Tweaks.exe	113
PID 2804 wrote to memory of 1920	2804	Ultimate Tweaks.exe	113
PID 2804 wrote to memory of 2768	2804	Ultimate Tweaks.exe	116
PID 2804 wrote to memory of 2768	2804	Ultimate Tweaks.exe	116

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1704 --field-trial-handle=1724,i,11806066936257155034,13747518096115027451,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2156 --field-trial-handle=1724,i,11806066936257155034,13747518096115027451,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2392 --field-trial-handle=1724,i,11806066936257155034,13747518096115027451,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1604
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3364 --field-trial-handle=1724,i,11806066936257155034,13747518096115027451,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
376B

MD5
4fed6f103d11dd023c7b2a7b655d2328

SHA1
5a83000e827afef773e8034faad32b0a44b949d8

SHA256
e18f2f31e7ca2567d499df784926990c44a7e0e294ffd2dd4d832e9c45cc41ac

SHA512
e4a51c15fe8405e20924d758769d911c2a4af341c76fa6bb0061a30d2a6327ae5268291e70773862244689fc6b27374c3338e583af245d75f8c5a8069e2c24f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
58dcc8a8f0e4e301095b0b7936105bce

SHA1
e194adce616281f73faf56a92fba8d23b2409f5d

SHA256
5c1a9f1abfbde41e7abcf319a7c07c8c176efee7c914e84d5d3e74a0f35c2c1d

SHA512
06aa728e62b2b3a59dccc2ace604fb2a47a49cf0ecec2076f24e73af49246495c8f0104adab15932277a06026c45ac32888ada01d92ddf0a69aad0309373920a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d9484c1e4e56af3861a9791d3db88332

SHA1
942ee8ecfee6571014c0869db52dcb121a2594fb

SHA256
cf3e191414775ceff439f781ec53bb6f60d880c23b90a53484e087c1275de440

SHA512
535175c50998fd19d7d0ae965016a0bf65a5fa0e2c8a02dc51f31e8c34d97c082d870de80f84f0b1375c9d164f8960897546999f09dfc727acee6cfb8d64fefa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
9bf95d122e909b70dc4e78a5468cb747

SHA1
40112ce9b4acb1027feb0cfb136fbb032c099bd9

SHA256
d29a961de3d6c099b67a462ab9341768fa000105dd639ac64eca8a563bb36997

SHA512
f8974f6c5639356417858e3a7fbfac92671c8928df7018db754047a1c904ad72c6c9b0218c884ed683675edaec05c9ff6cb178e499b133e7d6b1463ffe622c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
12e50f56fc22de9cf8e9a027baf8e215

SHA1
ca7667d8f15a7ea10c68492a02abf298b58910f1

SHA256
fc0b2fd114c4ee910f5243136296ff800e007064391e69f0475074adf42cf39c

SHA512
2e772e184ed691e23ef4c2165e5beac7c9566180b30e85079352b79172651b725d0c1e8157a5503025d0c195163f5a4e131d87fa503db2431861fe7488f4a172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
296B

MD5
fb35c7bd0757fb1a786334965cebb3ed

SHA1
67c8055caad2a99f4d364da6b3862682eb35f170

SHA256
4a8681536eb91652ed24a8861e72f5cfcf0c38982d5c87112bd7342983c46c8a

SHA512
5e2081f51d6c03250574bb3f4f6799a09eeedddddf3dd3eb475b20c571e7cce1a828b6abe66edbf947ef38d9e5d9c906364c2df9656c5adcdd090fff85dc1433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
9ce16fecf20166466e45e370385c2378

SHA1
547c2c7f5adc7a55033b7bc5ff00ce932dcddda2

SHA256
6cea10b881c5cf4a83eae625f544f9ad6db4562fdc5c780580fa023bea0a9d7d

SHA512
7054ed3168dc823dfa867ee74c0e049d48b2a37ecd58a092f99aeec4ec137780c84bfcc68d5384ebf39e5bb7b694f431db6180b7b2a1b053908e04e48484c880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
3066a4cb034a8135fb6fbec54fe666b5

SHA1
8f9f755ef6cf46c73aea03ce72d163b71df93601

SHA256
4d1fd332739ad9345287d2f96c21375a01dfe9ea8738db526e15b14b0e5edb7c

SHA512
957f37bb25c3a04be19edc00e99007ce966196a88b230c44ad53f6fb047f36577190b73950e132d93c51e614154c4607429a8b37734fc4ae85c4b51928961490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
618e5480c795919e339af61389eacc99

SHA1
c9a12a8fc979a8ddb6dbeec5fe115ece441170bf

SHA256
c9b305725327404358213232f67cbe5af347d2f2a4daa9c23d3b1b331aeab86f

SHA512
3d0eb13f792c4a91a3848e7bc1130b3cc280739867def4a0af9987d3c9faf13a8f38b2191b95d9f30c6e0dae70e313898b41b4ed5d96821e60a9ab5d2cb39081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c2c0502cf2e23ffd263eff80b4afcad7

SHA1
b3baad07e79d792dea40141c08fcdf20fb110fac

SHA256
eaa4f01bc9e7add55f5a7484bf52239a108e708cbb15cada65b09cd33d29a2f3

SHA512
11462ef26ba5beb15ce5a8fe759ad5708df544ee86dfe696b8bd5bc8572a569d44d8ed5c082a91bf547c3015d8c5cb33b5c527cd56cd1f4c15985fdeb6ca3537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
723e2ad5514e61d0c9a99d666f507a17

SHA1
74aa55161086e2d3c98ddbe88f8e80aa84ae98ec

SHA256
d58a7100a1a88740662902daf3756cfc267ce058db4a21ae48dd000cd4dd222a

SHA512
5e5a1545370e0df7098316cb26cc42f260c925b25c3db4d5bd9f4a20df22037dab56d0b39711784cb42071147e62c4637266f07e1e0e3df969972c29270a70a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
6432889cd2977e8a64852d2ffab75f92

SHA1
b2d8954cf0a2ee26e6a2fa4afe1eb75f3b7b74ae

SHA256
6ad8f2bdc479b01369ebb8b78fd8c4ca7eafa4f3d87f803580f63b46033ee5e2

SHA512
983e850ee0de0a024d52cb67dcbc500bf1c8601b14273fbdfebbdce15944a408fda0e2b850e0689e3f97d020d6ede4917370f4e4e8927a439cbdef0cff30e042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b3c262b25edf309ed06c9c95d822c9a8

SHA1
9ff87a36c93dad0ea8407347f91e3341cbc5cbf6

SHA256
6203a21794afb76f872064175ff7cca95367ba2b253d41a88e79abf5e4a7d589

SHA512
985b86cc3fcbd2c8c8af4fe1315143f3452b3ab3a9025030066be34652c469f9555bff6e6d630ba5cd53afd854237b8b34f1f022914a5e1508c9adf55d3a40c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5f82c9bcbc5ba2842f3cf667253e3fe9

SHA1
1cd676c0290fd8d83f19cba2a7580a14099c12e5

SHA256
435f7ed5d6a583535f61937412baa336e3355bfa70986b38c3a0a65afbd6bf30

SHA512
3a069c0857751444f90da35064048cf860e2494ab0a31918e9156e38c7c9d75753d683c70135d6ee03283b40533c61d0b3323b7eca1bf50e8bf35e93fb722b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
984049ec85fe946fc7c0cccf935f2009

SHA1
e117374c8953b8424866457cfc8ff092a8942eaa

SHA256
f951f2852582c102f2f130e3ccba6befdf510fd9c70c599e40c87a2e31c956e7

SHA512
3d589aa8e51f195f2b4c73da8302558b4d3e61259d4b4de49b9d73597554e25d3587f7dde7b7abf0ab54ee5b6474bd45eec4a6a61d2a525235e0fab8df850a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
621b70d590662fed6e4cfb52f839c489

SHA1
db78b7f3990b8e6d1c412281d538c0271a3a3bbb

SHA256
390848503e1310c7ccba1361c1c3fcae6beccc342604b6c57c822450ca81bca9

SHA512
8c2ffc8b8cb477cb232b0198699aaa40bc259745ca4081250d792d7e4899de2fca52b37ea03ca7fd959d6da6d1f3f309a2a0fbea7fb33dbf6dbe4ca193c9a46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fdef67460a2f809b75ba1c11f5819510

SHA1
bdafed3d0099ecc79daf5bf7b348656adfaac5e4

SHA256
6201f2e604af0638fa2be3d38a34e38d1692855a953bf0f6d42b5bb3f9466407

SHA512
452543bb37672fdf9713e057565f3b18cdf6fb9c5be811d38653b982b809158314e0ce54858244c8ca6b3e5975aa605816b02a128104998c9003b2739d59d6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
3221f385af052b0be9cf63e06c5b71cb

SHA1
3a339c90961c812e537b5f6ae96cc1705eb366a8

SHA256
f1a2c098bb9e219d9821af105d878c7a3da8243238b9c502848c4bccf91e5907

SHA512
af56a14b813f11237b9552dc1b8e349235969093f09ed66ff4832c3635d9dc8b8f8e5b3851f309a48494dbe8ba0ae164743aa34ebcce694f8b080f6191514390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fbc084750f87a78d369f82d9572ca33e

SHA1
0f4b9b00e7def694f25bc2523a91513b38e1e36e

SHA256
08a1d6429095050bdf8b7ce69080f0db0f5ab4d382bae13374d2213d2a338740

SHA512
063078e3f8d0424889757d6f1912e70aa68a0f41952ab0c9c4c1f6fedc528dddf5945e4650a191f7fa0fc59cadf7ef069dbc61d60ddd6bdd392369fba6c0de54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2a3cce852fb9e7675ab580947d5e240c

SHA1
3632d9c3d0f46c42ff7184c3444cbaddc97ebf3b

SHA256
71a59c151e014f8f0d3d79ebb801722abe76ce23d2ed920ffc6a385d871b6f2d

SHA512
74acd7cf9022710ff936ec9fb27ef8f4174b17c9746e6a81ef5328cc71395136714052c65ee55964a7caf5d10eac485f0c40e99d5558723567b888d6c8f31ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e510a4996752927e6d2a52e589066cae

SHA1
3d549e7372986a025f1b1cd40959a9415d260350

SHA256
e975272bbd8dbb2dd28acd3828de49afa6a8da44489341df42d0613c243cbe74

SHA512
7403b3a2fe262d1bb1b3b00ba32fa852153b8a1ac6844512cf6f446eabd313b739ebfb78b2270cb9b10c5e05b58960dfdd56901aed556ec8ec42369f1bab23b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
74eb362bfe1e9bb0c6be7ddf84d6bc37

SHA1
92c9eeff0bd0ce795c362930cc0eafb878ff1683

SHA256
2c608ad2e2afe11780c8bcd7b53f192ce75f4443f0d0189fe6bb0245b5826289

SHA512
448799db73fbbce50bc0a98e5936075d2005fba8f9d44b71f78f27cc2a85287f90b6fa8d7324e84f5b05459d68ed16b7179ca0cf166c81f7b3ca29e72ee7b623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
136B

MD5
f03f430e1a337b57359cf6fa79abae28

SHA1
6a06cb080a9e63c603e6837631b64dd2c47aced0

SHA256
5a3401d0f89a1c7a01e8cdc061eb7919462ea7cc24bb320cd3b7c3acdead5cba

SHA512
9bebe5c4f68fe8d7d6d485aa0f559547960fca223f3b952a8c53720aaec5bce50f89c5907cb482d065ef8a9da442d5f2cd87a08ffd68253bb18b24b5d9c716cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
23a46d4ab4a56f3a31eaa6b72a459ac0

SHA1
6ecedfcd07c747f83efd6f2e7c3ff032ba38def2

SHA256
509c2eddf18922b45eb27616aaf33a7fa02689d114328b9b1c07be9e3225303b

SHA512
4261de783b7de8fe2f95a74fb93f8afca31f2b2a0ff07ef04b0a37f3e61b622d64243696f59a6832a7ce0ae38f29d6c09df386132ffbd00ad9b9349e7bde736e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8c270b5fbe7ff6c8905651cbb7458b53

SHA1
a53e7aa4469ea296add7aacfaed971529ce7489b

SHA256
2052661d60326aae7b9476796970338b310126f176fa779fd835bf6aecae5ad1

SHA512
2fb3f42e97325c0108f58067506b3de62d248de2169afbb1267eafd76d554ffd5e16b2b3e45eca0aebd869c61fea154b710a2b144ef3d9e6938aa0e0cafcef56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
faa7389cb66b1a03b35c195ca05e26fb

SHA1
4395bc9d3378e20d07eafd98e023a3b0b711ed7b

SHA256
51720bd322a464ba109f1ae1d9db94ef46e61f406839f97e989cc6e72d2b9434

SHA512
f59eede3f609c9751913f6b5f86da869e0e04d16e47d857ce9cb417986c6be66fc5fc08d935b1337abe333de053d65ecc595380e4361b6b28ad01d0021c584da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d49ea14d8105d2d60837782d914f4372

SHA1
6fced93200cb71bd61d500996f6883fe3b351104

SHA256
a4dbf9910810efdbdd14e3802cd9dba911ed6ea217096edcd9e3a1bf974cf04c

SHA512
184b0ea55eab51a950af9b87306fb0cae7b2d9fe4493ddbeffad7429a9d34037b5f8d5c099c938745c0b6a11ae803b851b8b07af481f6b96f4055665f9dbf13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
0e19e128675a57870cf37ff28d59370d

SHA1
71f618c4b255ca036da529590506efb26716fd3b

SHA256
2f4c49f39afe1249840ee6e76673ede846436c5bb5f2e3f2b690f976c53e51c9

SHA512
df62b2dfc29cb7b9b313b58bb7a42c761f65453abe842f8541fe4f1250244b621a317834fa63ca737f74830568363b935ce45ee48159ea30478bf38f3b5fd5bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fc94705f48f503a8a1e3589ad7a851cd

SHA1
d6665d29599e05f390771e23f60b487606365527

SHA256
049412e807188586e8ffa4f0c974077a00a548d4850c9c613de3792673146201

SHA512
292bbddb65429f138fd0c97bcad53fb2bff24da6cf19286f140397dca1d863fb58b51195fdc3e086cc561ce291bb53c0d0b7e172bb556dd7c4f94f14a183cdfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
452B

MD5
9d286b3550ae2ec4de5ac42b0b4a7e68

SHA1
2df1c9dd9089b7ee2fe811409fdea70d1df42e10

SHA256
6e86f47915742517962620b56404290920da249ed9dbf74534e0c9fd847198c8

SHA512
0b56ea29805762ee7f5a830df83067747f32dc58d6f4dc7db531ebe7544bdce33d9cc6aeed0ca08d561db2939d2075b38374a3f498aa02165d3fb384be2a4d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e8ee8271855c2b7134cc3d062857ac1f

SHA1
280c0707f98616c5276a6a725406eb8cd078d960

SHA256
c56e72c6b5f066b0aa3990b4d80f4e7b2aa8411321c71ef21a2a58c44d6fecea

SHA512
5e44ec79c9bfb547e55c4c8f0d2aed7a00beaf27b042b25da9696ffee9cf14e62af165d5ee839efe940d9e3598b6519fc21f4138d17d2b2f654d6d0f776a08d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
f88a2801831bb1b2504eee631e4b0cd8

SHA1
f440f59a3ec29ace5063b74f4ac7f185d82d9304

SHA256
dd6f44da51cbd063f21525519e81c4c990b7c820fa42614ddd7e01c1ce35c34f

SHA512
defe3cc4d2cba925b143d71151a4f3b7fc6a0f5c75c12a420f07023a92ca7d5997507dd35eca5304cba39220deabf393cef9ce201f5ca8c06a6d5287bf194e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
22d1788e299efe2b6d56dfa1c1d62d04

SHA1
56657475d18727632fd4a9b7654a510314f04364

SHA256
c4a4745868f2f3ceb0109d15e90439182a63b0c2fa16140becb83b8b225a14f3

SHA512
cdd3e3fed22972dd0db5d0914e1250659955d9fa3fa070f18754a0b3e118729e8229bcaa0adde60671105119696bda9931bc7b063819bc12e30c638c267d08f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d4ebe940bfee12db7d2f6345e6bdc3fc

SHA1
b042aaf6ea879c3c596a16126e14d280988e5b57

SHA256
f5213ca7ce5d2d2282f97d238e95d4509a0f6e2ba53473a3c1c6da2d2eb3cb60

SHA512
61131d52b5e02758f0bc7749127f4ee02997c02b3c2adcd162108010ada3afb92ccacf16d3f035086593e6143a3c8809cb74a0eea90462a371be3a2cd4db707f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyrfiwt4.q3n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
966B

MD5
9040bbe31108e006ee9860ee7cb57fe3

SHA1
d765e1ec1214f9ce5986cf05bda1b2cb5958d7bb

SHA256
760143c845ada006cda2ccd800e4d5b9376be184edfcd3cedeee714afb3de02f

SHA512
c9ee3ed80461871e1bf27694973795f866a4ff7c1e445372dcde7f090521f24800342fcc0ee265d26ae15d180b7b20da3f928c170ad237bb0f6a65e76fd617a4

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58a757.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57bb03.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
memory/1932-739-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-729-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-738-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-737-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-736-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-735-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-734-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-730-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-740-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/1932-728-0x000001A475070000-0x000001A475071000-memory.dmp

Filesize
4KB

Download
memory/2492-89-0x00000230BB970000-0x00000230BB9B4000-memory.dmp

Filesize
272KB

Download
memory/3264-90-0x000002CD7DAD0000-0x000002CD7DB46000-memory.dmp

Filesize
472KB

Download
memory/3264-96-0x000002CD7DA50000-0x000002CD7DA74000-memory.dmp

Filesize
144KB

Download
memory/3264-95-0x000002CD7DA50000-0x000002CD7DA7A000-memory.dmp

Filesize
168KB

Download
memory/3264-70-0x000002CD7D520000-0x000002CD7D542000-memory.dmp

Filesize
136KB

Download