30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Resubmissions

17-07-2024 11:56

240717-n32f5azaqj 10

17-07-2024 11:51

240717-n1gzpsyhqq 10

Analysis

max time kernel
150s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
17-07-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultimate Tweaks.exe
Size

168.2MB
MD5

02c4b9609f04037960d947113bc2a017
SHA1

b593fc590fafb5e11ccceb199ff405874183c4e8
SHA256

3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
SHA512

d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
SSDEEP

1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score

5^/10

execution

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	Ultimate Tweaks.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	Ultimate Tweaks.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	Ultimate Tweaks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
4716	powershell.exe
3320	powershell.exe
3408	powershell.exe
3272	powershell.exe
2136	powershell.exe
2488	powershell.exe
792	powershell.exe
5032	powershell.exe
1532	powershell.exe
1060	powershell.exe
1708	powershell.exe
2432	powershell.exe
228	powershell.exe
2428	powershell.exe
3632	powershell.exe
4564	powershell.exe
4688	powershell.exe
2844	powershell.exe
1796	powershell.exe
1348	powershell.exe
4356	powershell.exe
4760	powershell.exe
2656	powershell.exe
3456	powershell.exe
2352	powershell.exe
3548	powershell.exe
2040	powershell.exe
2636	powershell.exe
3764	powershell.exe
652	powershell.exe
3696	powershell.exe
3924	powershell.exe
1084	powershell.exe
4256	powershell.exe
1504	powershell.exe
2640	powershell.exe
1948	powershell.exe
3408	powershell.exe
4864	powershell.exe
1864	powershell.exe
4620	powershell.exe
2996	powershell.exe
4564	powershell.exe
3400	powershell.exe
1800	powershell.exe
1104	powershell.exe
2352	powershell.exe
796	powershell.exe
4896	powershell.exe
1556	powershell.exe
4340	powershell.exe
3156	powershell.exe
692	powershell.exe
1932	powershell.exe
4956	powershell.exe
3032	powershell.exe
1076	powershell.exe
4740	powershell.exe
2380	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	powershell.exe
4760	powershell.exe
4716	powershell.exe
4760	powershell.exe
2040	powershell.exe
2040	powershell.exe
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe
2040	powershell.exe
2640	powershell.exe
3032	powershell.exe
2640	powershell.exe
3032	powershell.exe
2640	powershell.exe
3032	powershell.exe
1556	powershell.exe
1556	powershell.exe
1556	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
4340	powershell.exe
4340	powershell.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe
4340	powershell.exe
1948	powershell.exe
792	powershell.exe
792	powershell.exe
1948	powershell.exe
1948	powershell.exe
792	powershell.exe
3156	powershell.exe
3156	powershell.exe
3408	powershell.exe
3408	powershell.exe
3156	powershell.exe
3408	powershell.exe
4620	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
4620	powershell.exe
4620	powershell.exe
2352	powershell.exe
2352	powershell.exe
3408	powershell.exe
3408	powershell.exe
2352	powershell.exe
3408	powershell.exe
4564	powershell.exe
5032	powershell.exe
4564	powershell.exe
5032	powershell.exe
4564	powershell.exe
5032	powershell.exe
796	powershell.exe
796	powershell.exe
1796	powershell.exe
1796	powershell.exe
796	powershell.exe
1796	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeIncreaseQuotaPrivilege	4760	powershell.exe
Token: SeSecurityPrivilege	4760	powershell.exe
Token: SeTakeOwnershipPrivilege	4760	powershell.exe
Token: SeLoadDriverPrivilege	4760	powershell.exe
Token: SeSystemProfilePrivilege	4760	powershell.exe
Token: SeSystemtimePrivilege	4760	powershell.exe
Token: SeProfSingleProcessPrivilege	4760	powershell.exe
Token: SeIncBasePriorityPrivilege	4760	powershell.exe
Token: SeCreatePagefilePrivilege	4760	powershell.exe
Token: SeBackupPrivilege	4760	powershell.exe
Token: SeRestorePrivilege	4760	powershell.exe
Token: SeShutdownPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeSystemEnvironmentPrivilege	4760	powershell.exe
Token: SeRemoteShutdownPrivilege	4760	powershell.exe
Token: SeUndockPrivilege	4760	powershell.exe
Token: SeManageVolumePrivilege	4760	powershell.exe
Token: 33	4760	powershell.exe
Token: 34	4760	powershell.exe
Token: 35	4760	powershell.exe
Token: 36	4760	powershell.exe
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	1800	powershell.exe
Token: SeSecurityPrivilege	1800	powershell.exe
Token: SeTakeOwnershipPrivilege	1800	powershell.exe
Token: SeLoadDriverPrivilege	1800	powershell.exe
Token: SeSystemProfilePrivilege	1800	powershell.exe
Token: SeSystemtimePrivilege	1800	powershell.exe
Token: SeProfSingleProcessPrivilege	1800	powershell.exe
Token: SeIncBasePriorityPrivilege	1800	powershell.exe
Token: SeCreatePagefilePrivilege	1800	powershell.exe
Token: SeBackupPrivilege	1800	powershell.exe
Token: SeRestorePrivilege	1800	powershell.exe
Token: SeShutdownPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeSystemEnvironmentPrivilege	1800	powershell.exe
Token: SeRemoteShutdownPrivilege	1800	powershell.exe
Token: SeUndockPrivilege	1800	powershell.exe
Token: SeManageVolumePrivilege	1800	powershell.exe
Token: 33	1800	powershell.exe
Token: 34	1800	powershell.exe
Token: 35	1800	powershell.exe
Token: 36	1800	powershell.exe
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	2180	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	2180	Ultimate Tweaks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2064	2180	Ultimate Tweaks.exe	82
PID 2180 wrote to memory of 2612	2180	Ultimate Tweaks.exe	83
PID 2180 wrote to memory of 2612	2180	Ultimate Tweaks.exe	83
PID 2180 wrote to memory of 3668	2180	Ultimate Tweaks.exe	84
PID 2180 wrote to memory of 3668	2180	Ultimate Tweaks.exe	84
PID 3668 wrote to memory of 1412	3668	Ultimate Tweaks.exe	85
PID 3668 wrote to memory of 1412	3668	Ultimate Tweaks.exe	85
PID 1412 wrote to memory of 3052	1412	cmd.exe	87
PID 1412 wrote to memory of 3052	1412	cmd.exe	87
PID 3668 wrote to memory of 4716	3668	Ultimate Tweaks.exe	88
PID 3668 wrote to memory of 4716	3668	Ultimate Tweaks.exe	88
PID 3668 wrote to memory of 4760	3668	Ultimate Tweaks.exe	89
PID 3668 wrote to memory of 4760	3668	Ultimate Tweaks.exe	89
PID 3668 wrote to memory of 2040	3668	Ultimate Tweaks.exe	93
PID 3668 wrote to memory of 2040	3668	Ultimate Tweaks.exe	93
PID 3668 wrote to memory of 1800	3668	Ultimate Tweaks.exe	94
PID 3668 wrote to memory of 1800	3668	Ultimate Tweaks.exe	94
PID 3668 wrote to memory of 2640	3668	Ultimate Tweaks.exe	97
PID 3668 wrote to memory of 2640	3668	Ultimate Tweaks.exe	97
PID 3668 wrote to memory of 3032	3668	Ultimate Tweaks.exe	98
PID 3668 wrote to memory of 3032	3668	Ultimate Tweaks.exe	98
PID 3668 wrote to memory of 2656	3668	Ultimate Tweaks.exe	101
PID 3668 wrote to memory of 2656	3668	Ultimate Tweaks.exe	101
PID 3668 wrote to memory of 1556	3668	Ultimate Tweaks.exe	102
PID 3668 wrote to memory of 1556	3668	Ultimate Tweaks.exe	102
PID 3668 wrote to memory of 3320	3668	Ultimate Tweaks.exe	105
PID 3668 wrote to memory of 3320	3668	Ultimate Tweaks.exe	105
PID 3668 wrote to memory of 4340	3668	Ultimate Tweaks.exe	106
PID 3668 wrote to memory of 4340	3668	Ultimate Tweaks.exe	106
PID 3668 wrote to memory of 1948	3668	Ultimate Tweaks.exe	109
PID 3668 wrote to memory of 1948	3668	Ultimate Tweaks.exe	109
PID 3668 wrote to memory of 792	3668	Ultimate Tweaks.exe	110
PID 3668 wrote to memory of 792	3668	Ultimate Tweaks.exe	110
PID 3668 wrote to memory of 3156	3668	Ultimate Tweaks.exe	113
PID 3668 wrote to memory of 3156	3668	Ultimate Tweaks.exe	113

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1680 --field-trial-handle=1684,i,3318848434018132019,4234555270465067994,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:2064
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2088 --field-trial-handle=1684,i,3318848434018132019,4234555270465067994,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2268 --field-trial-handle=1684,i,3318848434018132019,4234555270465067994,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1688
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2920 --field-trial-handle=1684,i,3318848434018132019,4234555270465067994,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
fcc0cce07dbb902e4064407d2fc2425b

SHA1
86cf08308ffb5c45c1e58431d5e057a633c04b16

SHA256
d321c7e598dbcab3cf80bd43986740426f18422563e019bf1a4c28d2d6521f20

SHA512
27773cab3f5dac8feb8f1715e5f807afdd2670f87a06fbc92db1cd36f3660a8fd6ebd6750dfc37f9be6df7637e9966954ea9fcac5836ff26d668eed3255f4e91

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
79eb1bf05d37819065222de66352bdf4

SHA1
3f24ec54ed92633b7a12be840d6832daa3b2c931

SHA256
0538ed97b50b8af6043ac493227459be4c78726f9ea37040d0f053bb4a46c33e

SHA512
062ffffc9bfdb45b4cbca6856fd38cb6ad00cb4e65f63e9e0ed6377cfdf89cd5f1508e0b06ed5b183b50110fb031f861397d9c5998e46bc5f5d3890d3092c968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
d794605178fa6c91674daada34e53b09

SHA1
f943ef52804819bfe277edb57de0cc1e03e124a8

SHA256
446f0cb0d5bfa991c3d652421e2ae64b5476b3ed90b37e9778dc39e1ff171663

SHA512
f809211c498b76af7c79db444b8a2477ad5f4f729331cd2564705f342c3801e032e3a2e4dc665fb32631beb47bc63d484f5d81415b06b24a16c451ac3c0bedfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
8ec9fe8b0690540dc0949298e44bcc1a

SHA1
fa53141598b118f57f896c28906f4ab8b074a8ee

SHA256
3cdca09b2866a09fd0d49773cf62cda38af928f35b739b5800ac360224f5ab59

SHA512
cf7cfd09fa816c164ef8aff553da424298cba563aee4d975f2b1f7c7635728d3f1ed826e111d5d218a88aa27bb810ee3e7d23b53e8284e8571f0b157fa1029f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
78ca0d150e40f63b8b9988e6a2db9676

SHA1
562dec7bacfc633a936bea463b3790b2f1fceeb7

SHA256
7fc25d55c407139f1245a731239625a3ee9fdf56014965a69f9145712f94fee5

SHA512
3685c33795fb366c8e1a59594e70f96aa923b733ec296e7a106fb4a06051c173310b079b776798cbbe5f7f5b7452ef52e6684e75f2d3be2d4170eb2ad6fcbe23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
e11f3d3595864eb7989441a0b1490891

SHA1
6e9cb0456f280507fe041b23e17153d8d7049b75

SHA256
98d8765a46ec14b9f0748b93925f6b4b54f8895dc584c19139992b2290244184

SHA512
4b705c74b965cb83860b9e8cb36149eeaed8e68e678fad2c90f645477b4128086467b75219db2e9021d93eab6d8c76688f57fc2817c6b4055d8cdfd1f7b8ecc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
c35b8d94865430119535fd8c92c37639

SHA1
7999cbdb36d740c6398ba54984c49dd76c57bd70

SHA256
fb0d2f6fd15c0465748ce8f270bb7df34307a05747d39f9f92b76baad2d7a01f

SHA512
973625a7407139f25c1d491c07163903b123c358715f4ca340b30eb0d9bafa47f476ed17fda916cc69497c7ff25a3b17715b11d8c438fef5b32dbe7c1473b15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
26450c742116403158c85603056ef556

SHA1
6f3d98483b6403641d5dec19fc03400249ad51eb

SHA256
9fa0250548f41fa24e421314a72f5de0beded930bb26b043000dc4527473c24d

SHA512
dd0cbc8308071d58ec9625156e2d596a5ce25587265a61cd9d6dbf8345e154247ed6039335e9c7afa6e825ccfd33b587fb804ca674339289cad661657820b498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
626B

MD5
70941ccf6f72d507a1bee4c17cab6cdf

SHA1
d8150350fdd9944e624aceb0ab1dd4d8d5a18613

SHA256
f7c0c1903f1617d92a13b131d455666ff877f5e650f89983cffeac16a9ea8945

SHA512
f8f5451a6f428155a393f394f78923c3e7168b77b4db5521b64e436ae33cf19f9cd59b39c8e9f411bbbf3b9f7ed5062a73e91ea48984cf393bbbfa4cbb8d18f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
220fe1732357ceeb351edc71b88c5bc3

SHA1
887f4cb77117a10e58abda6fb0b2f96d98f8e5b1

SHA256
fc21f784552f652415341b3f45b60f5d61dfea72e6dd939b1ed14d5e50a6b41d

SHA512
6a1f84b6781b8437827f4784baf6dbd688b92f135af970b01a58656a753551634e9ee7f2fd449851dbce783b3bc262d0fc35af5793fe85cc06e05c72be04721d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
772a353b080a46e9faf85e5663cabe1d

SHA1
aedd633c0019ab60d28a80ff68af0051272004ae

SHA256
e505747dffcd7680082309d0eb9ec7977dfb699fafa4841357a742e6235cd1f8

SHA512
151e36aabc2bdf24bd62134a9c4e1503b3f586ec89e2c9c9c583ecc82cb3afc73e37102a5820859ec9d9fd32df5220b527b1e254c5875368a4146b05ade69153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
106ab3ae921ee26fa60bdc66c44480c6

SHA1
6a7e887b8f35cc8f790f34b6d5db277358f8d029

SHA256
b6f731822a5cb0bcdbbbeb614d274f820be3f43bf22d6f94df54293e139562a7

SHA512
441b195841a1b561811d3f30aa0ade672695500b4619511ce12bc415bf3159304cf157d13dc5c513dacc61fa039765739dadd6c1c2c96708d97475f10cc8bbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
a3c6a781215678df46f4cf52329a790e

SHA1
ff244fbfb114671923450509c1a916f16da56804

SHA256
d0dd57d1eeb5c7c866fed1188fa68ab0392f744ecf0ca86f5d7767f6ca888f59

SHA512
89357ebbeab660a613ce99f4070c9ca58e84540d12d9f85e211a90875fb264e0ba9e7dae3dae6ef4898df2aa9aa5841c64c0cf221fec9eea8b1285194c43d5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
4cc53c0876d7e02002a43d96f7767aed

SHA1
6b4e8ef276c9581f452aac5fdc30e52745fa591c

SHA256
5259f69c8c778a9afd3ad66236b96006ffcc8e618f0d43b15a067cb3d99e84c2

SHA512
c3389ca196944d0e05ac55b506d0371f9ae7c2545bc948a93f52d9aa9d5c5fd70ed9d1e88d16e3886abcbf62440921448a190d7df16a4a91f77dc559261ea237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
dc639af48da57f053809f6cc0c9cca05

SHA1
052abb9255f8b4fe85b67087e42c10c0a5553511

SHA256
0c25814c60562a7ab12aceed1321f25d907d8529db397487a1c703038adc4161

SHA512
d9fed9a113e91d21e2096ed48524b09ccd97cdc06aa82aa93daa59192fab2a3c41651cee878b195dde7867bdb79d59a4ee9913b0900c9f70f110613e04477896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
51592e7b87a9d4e82028f8087a42eedc

SHA1
374a1ee4f537ea4bb0a1bc6f87e5e2345469e52c

SHA256
1e373785d8d6ffdf65f7c50b448c1abf5a3eed41468f5cfbd1f6abbd19ee349f

SHA512
2a9d95849ce9e8a868bd2724288b3a256880a6e29237b5286b3af0ce44b7eff05c628dd10590457fdef20a8b4d150aebd9896290965e056c518034f85fa8ca72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
2e21cc57633e2c0e878ac4a00e01859e

SHA1
d1f45788a25bacdc7337546603a9632059e586d8

SHA256
194a51f79043b7d0e45745cf0f09fe9c49c8d7d67cad7d1fcc4f2e5f79655748

SHA512
3a531f75be040dea007648450941ae39dbc92b2898f6adec807dc9a22298fcae6bc3422134c5eafe72b48e585ecd93bc1f2b91b83f0cf92ca0f19307ba0daec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
822e3a8bf14cf11e582b27e547a3c683

SHA1
0fbae7d3342415cd14531f60655da1bdea560687

SHA256
9415a426efd1cbfad013279c81f084e5ce43c6167295fdcd9a8f2e4941ac3622

SHA512
f2dbbadc71fe3008db7bffba7f178fdd3d477f7f50faf258994a97a6137dab8b7cdcac77d244ef6a770eb44ea1e02f36aea175f8bc877235ee405529971995a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
d71e07779984fbd66ebce394a038abcc

SHA1
c8dfdcdcbac7e0d3f9cc5db2213bd29fd9aae909

SHA256
8f4dbd8ccfad2ead34824c07249f14af76747b12fc7d444b346812521ae725a8

SHA512
c4c5b8ab237fe55b422bd15b05113aac690555f71e524735cb4f41f307725b6a0e1e9447327cd28694e32c54f0437509ecdd7fcea6306da2b724e2e54d9b8682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
95a8fd9aa626798379af91056cbc3688

SHA1
922670144f8a4c9d26395a3a9580c4db77baf6f0

SHA256
1bd4f09b9d205660fe1a23002eb8ade650eb0124f99aeb800ca10686ba26423c

SHA512
2ca9684a409c91c2a5bed507653cca3b9afa72e9a27bb7245e60e03fc4ef7d50e414f0b7b5a73fc83e79ba5da15fc725b7671c13edc5221924be0a86880c046c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
ce8ce4b464db4c92855dc3165a56d2dc

SHA1
459804e472efdf834832e6b956245e137c6ac5a5

SHA256
89d7cafdcc85898ab1075920521968fc28a6f3d02ebaa7dcf9549918cec8f09d

SHA512
aa86a49134cd0d44bd8e0ff460e7ab5e0924e298d7a6692f574ba0bca73a8bbdcaf5eeba46eeb8d739db0ac07bdde2e4f10c48779a2dc0e6d46c34d304decf94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
9e8b9d3b2a7efa15565d9b0a3614f397

SHA1
36bd680c64ac191f5172915fe71d88a145d5d462

SHA256
c1e1f8e26c410cd86054e8710407c2ccce9b229cac52c22357e301960e535f8e

SHA512
9dd9d7f016441e01f9582615727ebbc23e90c2e23344bc3c2a2df8bfa4999097effe8f744ab432067b3afdc9b04b9950aa74c24a60e7aace7d2b6020cce740d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
93d229b20ddce045e2874a0a1f66defb

SHA1
77dc84e2a181adb20917f21e45ffe4a73f24b7c1

SHA256
e860d10330f979a44e16543df5e09126c1446a74ebf13acf86a9d974686b648f

SHA512
57ee5edc20b2da466bb58ac3ea0dbb949600df6abfb9e37d9cd7725a8a030303e75d76d959008cfd2ab8a672bfaaf2517ab06b1d2fa61dffac364fda1f698a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
a724b318112d5e226300dab09b5ffcda

SHA1
be5bb380cd12d1e0c77318b30a8a1b38b9a798a7

SHA256
4d5663c3ad631a9c913e9149387b548b70ae51b696cdbfe4b08eb1c89e8b5136

SHA512
4de5bfa2d5299b3397bb2c6eb65f1e29533d0117875c3a3bd88132d7b5ffa76cc530acb5fe4c4b1ee4f8b5fc1eb681e1770ebadcb616ffd4b8fa93fc15049b36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
d90e9f641d467823a53d13a2c3dae8a0

SHA1
9dcb416b4586683e5f90f25f13f41391848bcafc

SHA256
f4bb7510108727e61cc746269162500d8a12fc921585f9ab691bf9d34966c969

SHA512
3f63b4c191e7544001c047318852216ede510d1971f79c2f18fa2ffc90a571d884c9aebb3161ccff4ef525f7f7d92bc047bfd4972ef03788a1a44044c89562af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
5ba84875c50e8c9fd7faa4a0d3f03e14

SHA1
bc4c9bc1736f3b207ad8e15344552fc577f4ca9a

SHA256
2bbb38d35e12af5a55707e7ee6d2410e6bb3a9e07ff5313d9405f6c797edb6da

SHA512
ed16590a1f37c43c12d8b1d06b2c506e4bec34539132e80db3e97eda5e9e2817f069fbd25402f369a8541ed41aec08198732f2aa06a4fa1a5a660b42808bcafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
12dc35861635e9d2c172a4ecec982464

SHA1
8bf9c9403d3bb9a0072c3b3c66b09676922933ea

SHA256
6f253ee7f2a82a28e77373534b756be65de3d4772b0a4e92dbeb943fe1bbacf5

SHA512
98586e89770e5b1187d3518dea2d0868e7a0d567b5300f7bcba0db8fbe3876f041ec80aa19237d5248ac4b406d46f18b0a5b1164e87f0ece3b67cce9ca59b12b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
96d70cca703ab59f92343bc4687c6ac4

SHA1
ca5741be6eb4a3627dd843605a2323cea2935575

SHA256
279dbee41fac01ea555f6426707ca7bac3bffe0008391ce318c740375b0cef6e

SHA512
a251842401bb583eaf11431a8b4e64f259edd2984f2ef8692dcf70e4325a26614a17d2032160139183892eeaadd862e9ef3316df63bab137ad6402fb8d3ba5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
a21cc0d750b1d25953011d6204f23ebd

SHA1
ba67cf18d850966eee4b6dd1b83ce0a7115f9bdc

SHA256
46f37aa7252e06856d5da2e943015042a1bb0f808d1cef8d8482348fc81e6e00

SHA512
cde9bb983d5d958ba222490466e1b7e713bd524519e90cfa58e42446b46ad3b19fde644d082fd4d82d2e8eee7843e90291479886e71da384d28a9e898b52757e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
c62e00902e4701b8b96ea8b5356b246e

SHA1
f06f64e41b35625ed9ba54ee4939e4ea3d4eb5ec

SHA256
98a267a57253e6dad314b81810a37e39aff1762551644617207f25e1bce46285

SHA512
2266125a0ef4fee69e0f4a04f8a89f3bd490e2c069034811353cfe255201074cb68e55e89962b784e2458e01eb08fb6977406bbf7e4f6559120017a647903bc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
618635da79a7ed447be416d6dabd7b00

SHA1
42155ab753472412bf1d73ee1b7902584c656d77

SHA256
f1f33d3e8d402bbc4a56d1e807618b508612570de4a48fe1a6800d9b1288fa85

SHA512
f1ddc6744e45041dd2413a91bb51f8e68ed277fb35bcda4055d90eeb200d83887b72cc1c621e4e3f9d99b4dbf2a05ba9319a4867c9c036cb1b7a1be6aade8d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
895d5b633363a3ce7872d7e31c206481

SHA1
2286f0a5d390423ba55ade42bb810c33c320d27b

SHA256
a6eb0d8a354511f401c7035b69122e917ef5500609dc3459464fe83bba49a844

SHA512
06e160f31185980e85ff0436c9a81c7ec08bc47c82339f816f6490ec3fafe074a4dbd48d8272ffdd73511e127f7208b1bddb2a8306202a16c229dbb93448c6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0254494a4c89bf8f623066957ccb7ea1

SHA1
0a31bf0f80c2e5caaf36fdf4266b72379cfb3751

SHA256
ffda9233d24b63e14924cddc16d3885111c7cf09abe840547c0a266c2000687f

SHA512
8f8c04122ae09f4a544d482eb72c30fc6d1ae9840e4247eb9e7a5cbe6e912fbff9132afc78974509923c24c30a8049199d43d83aba49b8a66ab78316546673bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
fd0b550a8c7ff2884067979e799ed8f0

SHA1
1e9afa9ef872a303d4a6ea0d6c7da4d65146a649

SHA256
a38a703e73ec20501ddb787d3f39dd95483673cde1cfba5988666631474fd7ac

SHA512
535ea9ba63f99199d9c3086a066589c56b7f42eea9d732e56ab2fa517f23e4407439f55e63ff298ef7173278641eecad53dab246400ae6e787357ded14cb84d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11usaj2s.kfu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
989B

MD5
4f1160935f2b903fef007aacb7230edb

SHA1
fa904cb145761eb753721cf082d4b3f7382b0f99

SHA256
2c9c1fa9545e18a17de2287961126377daefad16010ff2d1e114a4dd80bb74f8

SHA512
525bc2ad9f3fa9ef9b6a0bc5b0d2e1c6cd80ff77d81203cdfcecfb2faab5ee83d1042b900db30cf454ad5b20ea9f8b13aae5369135c3a482c8dfca28d931a62d

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58ae9a.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57bf58.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
memory/228-725-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-731-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-733-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-734-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-729-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-732-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-730-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-724-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-723-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/228-735-0x0000027C97DA0000-0x0000027C97DA1000-memory.dmp

Filesize
4KB

Download
memory/4716-68-0x000002244D8E0000-0x000002244D902000-memory.dmp

Filesize
136KB

Download
memory/4716-85-0x000002244DD60000-0x000002244DDA6000-memory.dmp

Filesize
280KB

Download
memory/4760-88-0x000001DF2BFC0000-0x000001DF2BFEA000-memory.dmp

Filesize
168KB

Download
memory/4760-89-0x000001DF2BFC0000-0x000001DF2BFE4000-memory.dmp

Filesize
144KB

Download