30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Resubmissions

17-07-2024 11:56

240717-n32f5azaqj 10

17-07-2024 11:51

240717-n1gzpsyhqq 10

Analysis

max time kernel
150s
max time network
161s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
17-07-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultimate Tweaks.exe
Size

168.2MB
MD5

02c4b9609f04037960d947113bc2a017
SHA1

b593fc590fafb5e11ccceb199ff405874183c4e8
SHA256

3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
SHA512

d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
SSDEEP

1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score

5^/10

execution

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	Ultimate Tweaks.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	Ultimate Tweaks.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	Ultimate Tweaks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3472	powershell.exe
992	powershell.exe
1436	powershell.exe
4808	powershell.exe
4444	powershell.exe
1552	powershell.exe
2832	powershell.exe
3164	powershell.exe
2720	powershell.exe
4700	powershell.exe
3368	powershell.exe
1436	powershell.exe
2732	powershell.exe
2528	powershell.exe
2216	powershell.exe
4912	powershell.exe
5100	powershell.exe
3216	powershell.exe
2868	powershell.exe
1672	powershell.exe
1156	powershell.exe
1956	powershell.exe
2388	powershell.exe
4292	powershell.exe
2732	powershell.exe
908	powershell.exe
2752	powershell.exe
3860	powershell.exe
3136	powershell.exe
1676	powershell.exe
2728	powershell.exe
972	powershell.exe
4304	powershell.exe
3468	powershell.exe
2232	powershell.exe
1176	powershell.exe
4020	powershell.exe
1596	powershell.exe
3112	powershell.exe
1744	powershell.exe
3048	powershell.exe
2280	powershell.exe
3468	powershell.exe
2604	powershell.exe
2708	powershell.exe
3620	powershell.exe
2104	powershell.exe
4536	powershell.exe
3152	powershell.exe
1404	powershell.exe
1856	powershell.exe
3064	powershell.exe
2136	powershell.exe
392	powershell.exe
1624	powershell.exe
4352	powershell.exe
1720	powershell.exe
3956	powershell.exe
5016	powershell.exe
3392	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	powershell.exe
2104	powershell.exe
2104	powershell.exe
3048	powershell.exe
3048	powershell.exe
2104	powershell.exe
4912	powershell.exe
4912	powershell.exe
4700	powershell.exe
4700	powershell.exe
4912	powershell.exe
4700	powershell.exe
1436	powershell.exe
1436	powershell.exe
972	powershell.exe
972	powershell.exe
1436	powershell.exe
972	powershell.exe
5100	powershell.exe
5100	powershell.exe
4536	powershell.exe
4536	powershell.exe
4536	powershell.exe
5100	powershell.exe
4304	powershell.exe
4304	powershell.exe
3468	powershell.exe
3468	powershell.exe
4304	powershell.exe
3468	powershell.exe
2604	powershell.exe
1436	powershell.exe
2604	powershell.exe
1436	powershell.exe
2604	powershell.exe
1436	powershell.exe
4808	powershell.exe
4808	powershell.exe
2708	powershell.exe
2708	powershell.exe
4808	powershell.exe
2708	powershell.exe
5016	powershell.exe
5016	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
5016	powershell.exe
2732	powershell.exe
2732	powershell.exe
4352	powershell.exe
4352	powershell.exe
4352	powershell.exe
2732	powershell.exe
2752	powershell.exe
2752	powershell.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
2752	powershell.exe
2280	powershell.exe
2280	powershell.exe
3152	powershell.exe
3152	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeIncreaseQuotaPrivilege	2104	powershell.exe
Token: SeSecurityPrivilege	2104	powershell.exe
Token: SeTakeOwnershipPrivilege	2104	powershell.exe
Token: SeLoadDriverPrivilege	2104	powershell.exe
Token: SeSystemProfilePrivilege	2104	powershell.exe
Token: SeSystemtimePrivilege	2104	powershell.exe
Token: SeProfSingleProcessPrivilege	2104	powershell.exe
Token: SeIncBasePriorityPrivilege	2104	powershell.exe
Token: SeCreatePagefilePrivilege	2104	powershell.exe
Token: SeBackupPrivilege	2104	powershell.exe
Token: SeRestorePrivilege	2104	powershell.exe
Token: SeShutdownPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeSystemEnvironmentPrivilege	2104	powershell.exe
Token: SeRemoteShutdownPrivilege	2104	powershell.exe
Token: SeUndockPrivilege	2104	powershell.exe
Token: SeManageVolumePrivilege	2104	powershell.exe
Token: 33	2104	powershell.exe
Token: 34	2104	powershell.exe
Token: 35	2104	powershell.exe
Token: 36	2104	powershell.exe
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	4912	powershell.exe
Token: SeSecurityPrivilege	4912	powershell.exe
Token: SeTakeOwnershipPrivilege	4912	powershell.exe
Token: SeLoadDriverPrivilege	4912	powershell.exe
Token: SeSystemProfilePrivilege	4912	powershell.exe
Token: SeSystemtimePrivilege	4912	powershell.exe
Token: SeProfSingleProcessPrivilege	4912	powershell.exe
Token: SeIncBasePriorityPrivilege	4912	powershell.exe
Token: SeCreatePagefilePrivilege	4912	powershell.exe
Token: SeBackupPrivilege	4912	powershell.exe
Token: SeRestorePrivilege	4912	powershell.exe
Token: SeShutdownPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeSystemEnvironmentPrivilege	4912	powershell.exe
Token: SeRemoteShutdownPrivilege	4912	powershell.exe
Token: SeUndockPrivilege	4912	powershell.exe
Token: SeManageVolumePrivilege	4912	powershell.exe
Token: 33	4912	powershell.exe
Token: 34	4912	powershell.exe
Token: 35	4912	powershell.exe
Token: 36	4912	powershell.exe
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	5092	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	5092	Ultimate Tweaks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 1928	5092	Ultimate Tweaks.exe	82
PID 5092 wrote to memory of 2392	5092	Ultimate Tweaks.exe	83
PID 5092 wrote to memory of 2392	5092	Ultimate Tweaks.exe	83
PID 5092 wrote to memory of 4524	5092	Ultimate Tweaks.exe	84
PID 5092 wrote to memory of 4524	5092	Ultimate Tweaks.exe	84
PID 4524 wrote to memory of 2088	4524	Ultimate Tweaks.exe	85
PID 4524 wrote to memory of 2088	4524	Ultimate Tweaks.exe	85
PID 2088 wrote to memory of 1968	2088	cmd.exe	87
PID 2088 wrote to memory of 1968	2088	cmd.exe	87
PID 4524 wrote to memory of 3048	4524	Ultimate Tweaks.exe	88
PID 4524 wrote to memory of 3048	4524	Ultimate Tweaks.exe	88
PID 4524 wrote to memory of 2104	4524	Ultimate Tweaks.exe	89
PID 4524 wrote to memory of 2104	4524	Ultimate Tweaks.exe	89
PID 4524 wrote to memory of 4700	4524	Ultimate Tweaks.exe	93
PID 4524 wrote to memory of 4700	4524	Ultimate Tweaks.exe	93
PID 4524 wrote to memory of 4912	4524	Ultimate Tweaks.exe	94
PID 4524 wrote to memory of 4912	4524	Ultimate Tweaks.exe	94
PID 4524 wrote to memory of 972	4524	Ultimate Tweaks.exe	97
PID 4524 wrote to memory of 972	4524	Ultimate Tweaks.exe	97
PID 4524 wrote to memory of 1436	4524	Ultimate Tweaks.exe	98
PID 4524 wrote to memory of 1436	4524	Ultimate Tweaks.exe	98
PID 4524 wrote to memory of 4536	4524	Ultimate Tweaks.exe	101
PID 4524 wrote to memory of 4536	4524	Ultimate Tweaks.exe	101
PID 4524 wrote to memory of 5100	4524	Ultimate Tweaks.exe	102
PID 4524 wrote to memory of 5100	4524	Ultimate Tweaks.exe	102
PID 4524 wrote to memory of 3468	4524	Ultimate Tweaks.exe	105
PID 4524 wrote to memory of 3468	4524	Ultimate Tweaks.exe	105
PID 4524 wrote to memory of 4304	4524	Ultimate Tweaks.exe	106
PID 4524 wrote to memory of 4304	4524	Ultimate Tweaks.exe	106
PID 4524 wrote to memory of 1436	4524	Ultimate Tweaks.exe	109
PID 4524 wrote to memory of 1436	4524	Ultimate Tweaks.exe	109
PID 4524 wrote to memory of 2604	4524	Ultimate Tweaks.exe	110
PID 4524 wrote to memory of 2604	4524	Ultimate Tweaks.exe	110
PID 4524 wrote to memory of 2708	4524	Ultimate Tweaks.exe	116
PID 4524 wrote to memory of 2708	4524	Ultimate Tweaks.exe	116

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1628 --field-trial-handle=1632,i,9110289770979232258,13031110381568435104,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2084 --field-trial-handle=1632,i,9110289770979232258,13031110381568435104,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2316 --field-trial-handle=1632,i,9110289770979232258,13031110381568435104,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:1968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3064
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3176 --field-trial-handle=1632,i,9110289770979232258,13031110381568435104,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
fcc0cce07dbb902e4064407d2fc2425b

SHA1
86cf08308ffb5c45c1e58431d5e057a633c04b16

SHA256
d321c7e598dbcab3cf80bd43986740426f18422563e019bf1a4c28d2d6521f20

SHA512
27773cab3f5dac8feb8f1715e5f807afdd2670f87a06fbc92db1cd36f3660a8fd6ebd6750dfc37f9be6df7637e9966954ea9fcac5836ff26d668eed3255f4e91

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
79eb1bf05d37819065222de66352bdf4

SHA1
3f24ec54ed92633b7a12be840d6832daa3b2c931

SHA256
0538ed97b50b8af6043ac493227459be4c78726f9ea37040d0f053bb4a46c33e

SHA512
062ffffc9bfdb45b4cbca6856fd38cb6ad00cb4e65f63e9e0ed6377cfdf89cd5f1508e0b06ed5b183b50110fb031f861397d9c5998e46bc5f5d3890d3092c968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
9df799a0eaef802acffc3f7875fdc912

SHA1
25b4cc05590b63bbe68d76c7932d814f56aae12d

SHA256
975d2ba9e7b5eaee198bcfde1a954d17871bc04138bf8169946ee929afe6b6e6

SHA512
c75387cb9e0e7ca8a9e6454954ae94156dbe6f27f0b451eada02728497d47d325a7977d4bf372ff96e56c21f8c3289fa709c1a12183c3c7458c8fac05c03fcf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
a136e57b4d1fd368847ee56e6f217053

SHA1
677f354768a4f6180ac98a5a5d80fd9f1e448076

SHA256
47a9eba6acfa3b45049bb3cbbad2567860d71d3f24ce87a38a7786694f407d1a

SHA512
eed24105a52db20d9a9f9b72f9ba9ac4ebc49c516389994acea4f2c3e4b35fe844d01800a9235f7d18fdf08b90811a6bc7f66cd7d5ffda18070c5c79f3b2b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
381c5989c567754ec93e3f8f0ef5148a

SHA1
d9d12c8b6ce664a554a165d3921f148dd86c3463

SHA256
ce94e421eec79571f44a7ee4eec531d4ee6fb8da1348d277f8a68d3e0f806728

SHA512
996d9f36faf641d99739f31c5e74d9d5d09eae7a0da3dabf1ee5ee36bae7bec046ff7104c9d8512a43ef5d6b80e0f14f2fda2e3346297bc289f21d40801e35a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
135B

MD5
dd91120750f5ea99a90a5a6a7d108d72

SHA1
20849cfeed404916193297374e30daccdb124f90

SHA256
b55bbdb4d8d5d0bed17d276bb549a39cacf6436272608460cc0680b53129c9fe

SHA512
a7e6e0c82a1b95d579ea15eb25adc48af434390143888f505e8b23a42654eb6f7966321625eb5e9a9fda66f72f403a48fbb468c3250c910a9702c099f31182e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
3a1d825d5e10d00bfd9dfe3aba49a2ee

SHA1
f46f01e68d7fbe6e5af0e18851f0332be2d8261d

SHA256
8eb5f5bf7c0a23543cbaae7371ece11e7560d4a0b0bbdcd9b411a47e0f65bc00

SHA512
0c6fa23e6b670a770ad8c9b9c13756c77b7b39b334e761bd358be2177b976bce2f50970be2657da270eb4caf12aa93fa5f6b689548ad0338c904ad6a454fbff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
8f6ddd0fba0afa01277b5e9416d1e191

SHA1
026f83e084b584ec92f9f7ea30d4d4649c80c981

SHA256
06f410d48947ed25060e3f077efa12905a1335aca40cd6ee97a39dd5c7eed5c4

SHA512
d3212d88e144abe26a9fbbb243f1d75c3b2a6c929ecff1a50292db256fa6173a560997b4b3b3f4ef1ff7bcdb44906453ac0294b5c1f38109272d287d22ef6351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
1bc247829e5e5db34b6618cbed66d188

SHA1
a087ab6a406453aadd55ccc708fd93e9db69eb18

SHA256
a066000624cc1eac2356192861ca570f35941df15294d5206d02d648b6b22fc5

SHA512
d8ff4cf85a821a981a3c1357d6ddb3a48f750d02333b4f243cb889fac70231cc8a436f0d80e0a77e3366388416ba8b96df29b8ba231620cbffdc86b58e6abeca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
1a07f78b6ec9bbce916ac47e1fe9d555

SHA1
12354cde54a3879d938175a3123d1d0a6886b5c2

SHA256
ea5f4dd97c9af4970c989eff66529c5d9793505e21e5c06b28bc143cebe18493

SHA512
f6054e3cca65e5b01f287266f223d596092d1d6543df35682b36e5fbc802c9a87a27cf3ad512796b9187c66435970a4d4e76ca34c5f539cec1eae802f6d65bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
9dd78ec1efcb3bc0ae3c64112a84b430

SHA1
ed86093a9a4af7b614be4216d4ab152349ab986f

SHA256
47b477a139c4f95ceec484c7d15dd1d39dbd99aa4f4d4bba52a2bf5c9c2ea405

SHA512
9717e42653ff62006bab0b0c2b77ce9e0026a3a60f7db6c8e73e42088c2a7b5dd14957eb731fc9032a2f0b81165924e366c8d3e50c1d8b675a7a6724b6fcb470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
135B

MD5
0b4086d86314eac4eac29304863d1ed6

SHA1
f0ee94f8676b23c16c11f92f0d877d860aa16208

SHA256
59f2f4d0503e5cbc4b1fc3dabfed0138bbdc93d0f1158a6c2779c9de08a0e567

SHA512
0a1342934228bd905708ce294e0a442084c9cd40479f08fe675d4a1908b8bfcaa7979da6413689518ffd4a90998b69e412d9a94e47c101eb9ca1662c41bae4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
b1a3814a81aac3fcd15f57ebf527d5da

SHA1
8cd1205d1c00438de053cb94d91073cf2c2125dc

SHA256
cb86bc5c8fd69ed2274df8b2f4b1a42db66ce46573ac294d1d6fe14e83026c2f

SHA512
7ce8b4e2f69ef690436de84ae68c54efd43efe336f1334e28d751225925e0092d1fe5eec6d5d3833de21832ee4073c12977acc7dbd932175ac51e54f310d13e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
de454567b56223242aee1a201d31547a

SHA1
79c50e1b471afd83194f8db30325a82f26a933d9

SHA256
acda8c3c93e2bec0f2f4cbf9b0cdb3fcb61a76b6f1479e942ceb7b5dd29c0cc2

SHA512
b8979658b90dd5b502ed13c15ecfbafd18f822cd4b61371828914177e89d51c26f8b9a1c19f3e1abff55aa4ff0cfe166d8c18e9d18488b50963f95eda8dac63d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
7e7947ecc6b7796f90d245ce5903dbfc

SHA1
83616a2441d20e2241d3417732964eb6a62c4ab1

SHA256
2373725277eb2a76a2291855bdec738d8561a3d8dc10d198e09230249243f347

SHA512
110e5a0edbe2fc44a53807f87c9ba9864ad7a3375679a7b8e2d47f40f54ba7f738dbfcced9dd46da230536fb924d6eee2a5a56c381bd8f249e2c5021ee96c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
68fe3c57890222d4bfc82fa7b5c96d5b

SHA1
e5a1c7c61ca69b4a04873330c24aa2a0c870734f

SHA256
5ed7d872445f86191131bf40442f8d1ea3bfe70620cbfb4771eae3ea4f1d5f3e

SHA512
72fda9c9edd5bb2354dc65168f96da25439fe1d24d155c53356c3dfb4c5274997dc3fb5d6b79e0d98e4bee957397ee2123d261a64771f55109134328ce1c71db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
106ab3ae921ee26fa60bdc66c44480c6

SHA1
6a7e887b8f35cc8f790f34b6d5db277358f8d029

SHA256
b6f731822a5cb0bcdbbbeb614d274f820be3f43bf22d6f94df54293e139562a7

SHA512
441b195841a1b561811d3f30aa0ade672695500b4619511ce12bc415bf3159304cf157d13dc5c513dacc61fa039765739dadd6c1c2c96708d97475f10cc8bbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
16df988c675b3fff1c28c0b8020d1971

SHA1
4d1b3f870455de27be4a107c12a3be9ea84f73b5

SHA256
0d56668fcc6933cba879a0f90956bff492665c3408ca01da0fa1bd9d996a090b

SHA512
fc27b2bcabae9361581963cff454a87e05058c00aaece00e3f5f9a2fbb4b6f4f28468e72f8416095bb30a1ace2e6259491906b85cafc2591d9335a829c50af11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
136B

MD5
2e53b4ca3ef86c783ae8618214d58eef

SHA1
b9f23f82613b75b69a9e4408ea2677a4640bb138

SHA256
0409c25b85cf2f7feb1239a7f6e396342b81a533898af4b0cf8b35d05015cd13

SHA512
e699e806974dac4da35f54418e0df7c7e042ff555ef2c76a1c3206e2cd8323bd12aabada9447d9b7702975775304ef51f333314f41ccdfa8be26c9867e4868d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
437d4ea921262a57fa4151960e83a30b

SHA1
a51c2244d2fcd29b287e3fe30b3035fee30a0945

SHA256
c0c2b5085965a6eb8fe13cd571603e59acacc98f8778b7137ed9be57298351f7

SHA512
80ba021c66fcec0e36a275fd8c6e1ef11197a43499d4bcdc1af6673bdd588b87522f5bc82b83b39b367e1f7e1e82d62d82f8955994520e583cb4de12d948615c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
6385a3bdac55806be30572f193be20d1

SHA1
39754ee00b0406b166903963a782879f44c91629

SHA256
73e664afa5a73b9fb1726a140b05063d2de585fd167c2a32bf3048b8b16af7a9

SHA512
20693544d466b1c49037ca39a53084a0b1786a28ba698fb74c880c186d559d36423945799e8bc49512bac1af30db8c963fef78deb858ad8b08598a58be448ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
56ad17e07bbc15c87961437b675c0cd4

SHA1
d437c085dc836e2e19e2da8802ad884299f410ba

SHA256
7854bbb6157f5d785fe0546da14c6ce3eb9ba1a4b67e3759eafdaf3d7f97a1a5

SHA512
ce12a816c55b66db9b77bce267d47a4468fe1c176429a0771fbbc415793bbc55cfd1aeb0ba3803f8c4efaea6f7fa464bd499343f3fa6f1fb24d57cb3f3490983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
423b1947e5c18b9d035204307b5608a1

SHA1
cbae432bac8afca81a2eecc96a4c766e01e12973

SHA256
293a63ab74b84fe0b4d49de4da1931dbd37c9044d0576e12ab4b9198ba766603

SHA512
cb357d4600d14ca9b3a6586e901aefaafb8d69ba15afa26d4889fbc38b0808cfa2b3f26724035c8efc6d86169d95ca9f312555383f9f824af3ab354dacaf3a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
ac18ee66488b0c602aa2fca3b404fa46

SHA1
801fd219688b9b381e2e204505a68cadcb2a708d

SHA256
d070e1acbbb3532a3dbc92279fa3c6c0679047efc158bd03bfc8afa1b75932a8

SHA512
a3dd197abdfe7a7bfc1ae48731129d72dea528ccea5daa100e4e11c954c4934ba609a4c382cd77955fcc712c05e0b33f0b9fbcdb5487f188d5dcc957606579b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
4f7bc6cd68785e617f430656e4770f59

SHA1
f7f8e07ef68400428b08610898338c000566195c

SHA256
e807935c86ec82b423bda95436cd488d7950c25f250c5f6beeccfd0542f48805

SHA512
5fb9e1dd8357db187514cf12cfc63462590c191abc6307d1effd27679be4944c47ef73a3114a76618ae5dfe8e836aeed054eb0d83771003e69b95618e0c6b9e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
5ba84875c50e8c9fd7faa4a0d3f03e14

SHA1
bc4c9bc1736f3b207ad8e15344552fc577f4ca9a

SHA256
2bbb38d35e12af5a55707e7ee6d2410e6bb3a9e07ff5313d9405f6c797edb6da

SHA512
ed16590a1f37c43c12d8b1d06b2c506e4bec34539132e80db3e97eda5e9e2817f069fbd25402f369a8541ed41aec08198732f2aa06a4fa1a5a660b42808bcafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
e4f788eda5a58a645ccd8041b742eade

SHA1
9d2d95e5517d7d834416fda58ed9c3bf59fed077

SHA256
391b48a9da24ecf8a84bfb8cc2e1a6c5fae0c067cf26214a844686bdc4d2faf2

SHA512
130926f53852ddb80b66b193923e246a035e1e16da0254288c12eff1a0196bd1da48995ae5239c29dcf1962fbb329ec70644556a797f21818e161f32ae955cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
3191f470d875143663421a424059a3d6

SHA1
49824acb1545b15e3b0e76ec99cce65939470367

SHA256
21ce7e47a9a5838056f6be0ec2c7c870a09631cb101f62b3ba99975af4c6f75b

SHA512
4ee5a375dab8c1d06a2846db09e114232985290dd1af2fa3b5926f58a29bc133ee8fe0a697dff7ab15f0d0f3a2770c98bb96a81885528c901779360a86c11ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
babecf4a0ded0119406f7ad4268e12c6

SHA1
eb5936079d2e8174e1ff9fe8f679fa4e8e051f9f

SHA256
51be8664623df57c03e5f32c44dea458986abc15363be25b1d832cc6859f46a2

SHA512
4031ebb707eb8ef20593c49d9eb62964138b08c959717d217b3ac25699e2daeba6ac2a9f4724e93552170957a5bb3c613d539fbb9ca270a84b5f04724bd45eec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
a5d5c780818d268f0046fee67462c06f

SHA1
29cf7a6140ba16739f8714a4d26f80e538115e95

SHA256
731c27437221827e36866dd9da157281ea9e2e91d1439bdb7f7300abee44db47

SHA512
be2391f63d736525fa952f40e0c64af9c07e29ac10d7527a2fd766e0a755536a9d9d20bdc390c673d0c2fbff0f56758e7fe22dbaf0df58ba90c2b3d5da2bf317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
2f0c9e96c6f82e06cab35a588619483a

SHA1
9360d2dc9b558f69306060c51f64427d9b5184c6

SHA256
581707ca729ad7a6e3efa6e53f289b0a564dd9cdf623f19366aa53b0130aae3a

SHA512
4fdbd5af07b19d8107de60d9ceaff327b1c69cc2c1eeb3bde9a8c58b76dadcc64c1a8012318d384869255f7b8fef069b9397714a696b2506a1b7e5bd03af67b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
06f9d92719b4cbe10bc3b1ad9b19847f

SHA1
e6a46b7f901c932881c07ef7dce242ef69ed8578

SHA256
8d1f94a1229719d4ad9bffb174268593c24d470182c06a3213039c883272b570

SHA512
6ce358de961b1e5b9ef94b1df8ddc611c2e8ac3d97157cd4656d3e495958c1e7fcdbf822db5140cc226fec6b7942c546f7bc09136f502f6a25965634bf6ce8b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0c0aa167fe52f52e97465df873f41e52

SHA1
29eac9924fbeb42b4f92381351ccba227991631e

SHA256
a8165856a1d46574bcf6ded1dd4d48bd6d3b79dc4682c92100e7215227abaa4d

SHA512
83f4a842ebebf653f09a9a4b45e3cb5234e1e877e2118a998237e3aa00bd9b2673de0f9e524a2fdd48fc5a2387606936247cb79968bc9d2b578a2b6a6868e77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0254494a4c89bf8f623066957ccb7ea1

SHA1
0a31bf0f80c2e5caaf36fdf4266b72379cfb3751

SHA256
ffda9233d24b63e14924cddc16d3885111c7cf09abe840547c0a266c2000687f

SHA512
8f8c04122ae09f4a544d482eb72c30fc6d1ae9840e4247eb9e7a5cbe6e912fbff9132afc78974509923c24c30a8049199d43d83aba49b8a66ab78316546673bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
7c73cd2fffc1c59ca297daea7c1d758d

SHA1
3c5aed09852c8fdadb032e3ea8863c587c061e13

SHA256
b5a4db116f82ec5688e24c31d73a61f79dc6009358b80847d1244ac2216f2040

SHA512
c34fffb2aefaa393b71666f36eb4d4ffd258c98b3f56660c93ee41c848c84358c66d63326185124aa3aec4face61b812fc57ec957cba48a14e012cd33968f542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
9a6fca612cf6c3667e4c335a12999dab

SHA1
f02386264dcb3d8880a5755424ac95e09e1f97f3

SHA256
de45039fb7deb974cdc10deb97a3278a2b97f5b1cf30e4224858a4c8bb9e20a3

SHA512
8e31c14d5b996259f2339e00cc838f03585f7541f3a26373f3ca3a29515d98ef738158bab21f3ece8a55bf54fbbd803d3ea51165d30edb66ec80b9eb117c4d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1bxik4s.a3d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
966B

MD5
4d883bf5b8517e8fa44b5a6f4da4b425

SHA1
f80812b5823c498c2b2168f50572d3c8f358f61b

SHA256
6a443b9f5f7af614bbdee680b3df83e1836327dec938a0892f2ff28b003c38af

SHA512
8a87ddb392e6aaccb5f3ae2924dfd923935ef40468c43c89ad0dd0655e902cdd19d441c0b7a0f535ba9ab367037d80a6c397025ba794185e95343c48d7bef709

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58d4df.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57e8e9.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
memory/908-701-0x00000231C3DD0000-0x00000231C3F3A000-memory.dmp

Filesize
1.4MB

Download
memory/1456-735-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-729-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-738-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-737-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-736-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-740-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-741-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-739-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-730-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/1456-731-0x000001755C5A0000-0x000001755C5A1000-memory.dmp

Filesize
4KB

Download
memory/2104-89-0x000001C36F880000-0x000001C36F8A4000-memory.dmp

Filesize
144KB

Download
memory/2104-88-0x000001C36F880000-0x000001C36F8AA000-memory.dmp

Filesize
168KB

Download
memory/2104-85-0x000001C36F830000-0x000001C36F876000-memory.dmp

Filesize
280KB

Download
memory/3048-68-0x0000020AFBB30000-0x0000020AFBB52000-memory.dmp

Filesize
136KB

Download
memory/3216-696-0x000001F25FF80000-0x000001F2600EA000-memory.dmp

Filesize
1.4MB

Download