Overview
overview
10Static
static
10Ultimate Tweaks.exe
windows7-x64
7Ultimate Tweaks.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3Ultimate Tweaks.exe
windows7-x64
1Ultimate Tweaks.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
3resources/elevate.exe
windows10-2004-x64
3vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows7-x64
3Analysis
-
max time kernel
45s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 00:01
Behavioral task
behavioral1
Sample
Ultimate Tweaks.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Ultimate Tweaks.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Ultimate Tweaks.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Ultimate Tweaks.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240704-en
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20240704-en
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240705-en
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win7-20240708-en
Behavioral task
behavioral23
Sample
resources/elevate.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral24
Sample
vk_swiftshader.dll
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
vk_swiftshader.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral26
Sample
vulkan-1.dll
Resource
win7-20240704-en
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240729-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240704-en
General
-
Target
Ultimate Tweaks.exe
-
Size
168.2MB
-
MD5
02c4b9609f04037960d947113bc2a017
-
SHA1
b593fc590fafb5e11ccceb199ff405874183c4e8
-
SHA256
3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
-
SHA512
d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
-
SSDEEP
1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation Ultimate Tweaks.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation Ultimate Tweaks.exe -
pid Process 2768 powershell.exe 1464 powershell.exe 2164 powershell.exe 4828 powershell.exe 2872 powershell.exe 3540 powershell.exe 3300 powershell.exe 4852 powershell.exe 4776 powershell.exe 648 powershell.exe 1848 powershell.exe 3472 powershell.exe 2660 powershell.exe 3192 powershell.exe 4712 powershell.exe 2872 powershell.exe 3224 powershell.exe 4032 powershell.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Ultimate Tweaks.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Ultimate Tweaks.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ultimate Tweaks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Ultimate Tweaks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Ultimate Tweaks.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Ultimate Tweaks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Ultimate Tweaks.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 4828 powershell.exe 4828 powershell.exe 2872 powershell.exe 2872 powershell.exe 4828 powershell.exe 2872 powershell.exe 3224 powershell.exe 2768 powershell.exe 2768 powershell.exe 3224 powershell.exe 3224 powershell.exe 2768 powershell.exe 3192 powershell.exe 3192 powershell.exe 4032 powershell.exe 4032 powershell.exe 3192 powershell.exe 4032 powershell.exe 1848 powershell.exe 1848 powershell.exe 648 powershell.exe 648 powershell.exe 648 powershell.exe 1848 powershell.exe 4712 powershell.exe 4712 powershell.exe 1464 powershell.exe 1464 powershell.exe 4712 powershell.exe 1464 powershell.exe 2872 powershell.exe 2872 powershell.exe 3540 powershell.exe 3540 powershell.exe 3540 powershell.exe 2872 powershell.exe 3300 powershell.exe 3300 powershell.exe 3472 powershell.exe 3472 powershell.exe 3472 powershell.exe 3300 powershell.exe 4852 powershell.exe 4852 powershell.exe 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 4852 powershell.exe 4776 powershell.exe 4776 powershell.exe 2660 powershell.exe 2660 powershell.exe 4776 powershell.exe 2660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeIncreaseQuotaPrivilege 4828 powershell.exe Token: SeSecurityPrivilege 4828 powershell.exe Token: SeTakeOwnershipPrivilege 4828 powershell.exe Token: SeLoadDriverPrivilege 4828 powershell.exe Token: SeSystemProfilePrivilege 4828 powershell.exe Token: SeSystemtimePrivilege 4828 powershell.exe Token: SeProfSingleProcessPrivilege 4828 powershell.exe Token: SeIncBasePriorityPrivilege 4828 powershell.exe Token: SeCreatePagefilePrivilege 4828 powershell.exe Token: SeBackupPrivilege 4828 powershell.exe Token: SeRestorePrivilege 4828 powershell.exe Token: SeShutdownPrivilege 4828 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeSystemEnvironmentPrivilege 4828 powershell.exe Token: SeRemoteShutdownPrivilege 4828 powershell.exe Token: SeUndockPrivilege 4828 powershell.exe Token: SeManageVolumePrivilege 4828 powershell.exe Token: 33 4828 powershell.exe Token: 34 4828 powershell.exe Token: 35 4828 powershell.exe Token: 36 4828 powershell.exe Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe Token: SeIncreaseQuotaPrivilege 2768 powershell.exe Token: SeSecurityPrivilege 2768 powershell.exe Token: SeTakeOwnershipPrivilege 2768 powershell.exe Token: SeLoadDriverPrivilege 2768 powershell.exe Token: SeSystemProfilePrivilege 2768 powershell.exe Token: SeSystemtimePrivilege 2768 powershell.exe Token: SeProfSingleProcessPrivilege 2768 powershell.exe Token: SeIncBasePriorityPrivilege 2768 powershell.exe Token: SeCreatePagefilePrivilege 2768 powershell.exe Token: SeBackupPrivilege 2768 powershell.exe Token: SeRestorePrivilege 2768 powershell.exe Token: SeShutdownPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeSystemEnvironmentPrivilege 2768 powershell.exe Token: SeRemoteShutdownPrivilege 2768 powershell.exe Token: SeUndockPrivilege 2768 powershell.exe Token: SeManageVolumePrivilege 2768 powershell.exe Token: 33 2768 powershell.exe Token: 34 2768 powershell.exe Token: 35 2768 powershell.exe Token: 36 2768 powershell.exe Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe Token: SeShutdownPrivilege 2556 Ultimate Tweaks.exe Token: SeCreatePagefilePrivilege 2556 Ultimate Tweaks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4340 2556 Ultimate Tweaks.exe 85 PID 2556 wrote to memory of 4292 2556 Ultimate Tweaks.exe 86 PID 2556 wrote to memory of 4292 2556 Ultimate Tweaks.exe 86 PID 2556 wrote to memory of 3608 2556 Ultimate Tweaks.exe 87 PID 2556 wrote to memory of 3608 2556 Ultimate Tweaks.exe 87 PID 3608 wrote to memory of 4184 3608 Ultimate Tweaks.exe 90 PID 3608 wrote to memory of 4184 3608 Ultimate Tweaks.exe 90 PID 4184 wrote to memory of 3272 4184 cmd.exe 92 PID 4184 wrote to memory of 3272 4184 cmd.exe 92 PID 3608 wrote to memory of 2872 3608 Ultimate Tweaks.exe 93 PID 3608 wrote to memory of 2872 3608 Ultimate Tweaks.exe 93 PID 3608 wrote to memory of 4828 3608 Ultimate Tweaks.exe 94 PID 3608 wrote to memory of 4828 3608 Ultimate Tweaks.exe 94 PID 3608 wrote to memory of 3224 3608 Ultimate Tweaks.exe 100 PID 3608 wrote to memory of 3224 3608 Ultimate Tweaks.exe 100 PID 3608 wrote to memory of 2768 3608 Ultimate Tweaks.exe 101 PID 3608 wrote to memory of 2768 3608 Ultimate Tweaks.exe 101 PID 3608 wrote to memory of 3192 3608 Ultimate Tweaks.exe 105 PID 3608 wrote to memory of 3192 3608 Ultimate Tweaks.exe 105 PID 3608 wrote to memory of 4032 3608 Ultimate Tweaks.exe 106 PID 3608 wrote to memory of 4032 3608 Ultimate Tweaks.exe 106 PID 3608 wrote to memory of 648 3608 Ultimate Tweaks.exe 110 PID 3608 wrote to memory of 648 3608 Ultimate Tweaks.exe 110 PID 3608 wrote to memory of 1848 3608 Ultimate Tweaks.exe 111 PID 3608 wrote to memory of 1848 3608 Ultimate Tweaks.exe 111 PID 3608 wrote to memory of 1464 3608 Ultimate Tweaks.exe 114 PID 3608 wrote to memory of 1464 3608 Ultimate Tweaks.exe 114 PID 3608 wrote to memory of 4712 3608 Ultimate Tweaks.exe 115 PID 3608 wrote to memory of 4712 3608 Ultimate Tweaks.exe 115 PID 3608 wrote to memory of 3540 3608 Ultimate Tweaks.exe 120 PID 3608 wrote to memory of 3540 3608 Ultimate Tweaks.exe 120 PID 3608 wrote to memory of 2872 3608 Ultimate Tweaks.exe 121 PID 3608 wrote to memory of 2872 3608 Ultimate Tweaks.exe 121 PID 3608 wrote to memory of 3300 3608 Ultimate Tweaks.exe 125 PID 3608 wrote to memory of 3300 3608 Ultimate Tweaks.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1712 --field-trial-handle=1716,i,9475115472035881834,8655745698900237891,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:22⤵PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2160 --field-trial-handle=1716,i,9475115472035881834,8655745698900237891,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:32⤵PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2424 --field-trial-handle=1716,i,9475115472035881834,8655745698900237891,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:12⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"3⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\chcp.comchcp4⤵PID:3272
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55c3cc3c6ae2c1e0b92b502859ce79d0c
SHA1bde46d0f91ad780ce5cba924f8d9f4c175c5b83d
SHA2565a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2
SHA512269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e
-
Filesize
2KB
MD528c65370f12e84b734af87ad491ea257
SHA1402d3a8203115f1365d48fa72daf0a56e14d8a08
SHA2564ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c
SHA51256eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc
-
Filesize
2KB
MD57b0281aebaf34d9b48f7552cc8c1a516
SHA191c9613c1d9b59a56be2a2283f8a92a70f039af4
SHA256ff4c16e2139ab88f8e36bb966bb4964ce2555017e2908d8bc0767be94f551922
SHA51256f912e0936bb872a3e3e38d065ce8455c7af323cb16160f3556749ab9b61dd9710285f2cf389d1395930ccf9ba99dd0e3d43c2a52b3542921091766fcd8c65c
-
Filesize
2KB
MD51cb63ba4685936893c151385ef028a4e
SHA141932e9b7df1b0b129e5db14ff249d92212ebafc
SHA256300d59cf55ffdeadc3d8f807349b82031c818d45b45092086055b56d66f08c27
SHA512e4584f7b20f5b0c3fbd604556b09e36792ed1ae43e078146e2d1caf107fcd0df7bff4871e07677a28b8adf4526a638d417f6d6e399d8f6732d1db76f207dfde4
-
Filesize
2KB
MD54d638b26b947f4dcc4b9c4637098eddd
SHA1020045213eb83eb848b13b306b16a9f9d2743a1d
SHA256ae1dbfbcf8b409f175dc06a6bb67e8edeac2713bd7152f515850df42e2da5322
SHA512a0ffa25fc8788bed0062386a515a75757aa7c109c6f13649ac3f535c2575e1421846a436bee55666ba18a717a6b4c48c66796ea3bef1436265ba79c150542992
-
Filesize
2KB
MD5a0ff0d007809242ef7316595890a8d84
SHA1710ca62977e1a13814c55b6d7b8ff86711fdafcf
SHA256947e8af9cac4efe045c01b594ad76c7c42738c6db519d96d5ff0e9390f76c5ed
SHA512884b8b8d8e6ccf9a59967650d0c10eab123c30cbb1251f53952f21f9d171a8b7c490da9e09eafe73b2568b394af45ec54c40f1a2a6c5b4d7d02cf4c092c97ab1
-
Filesize
2KB
MD5afa96fc27290df59b32b81d4be736076
SHA1de330d4e0b144e06892958c36c3790760c0ca9df
SHA2566162636453e77790f9f365b658b616f3b927ae0720d854bd10f9791d721b1868
SHA5127ef4510855e09d0d1b5a254151a4912e02521646a6ade416abecc2e33913814980697c8b9b89737ea7615ac1e1da27ae2413fb6c719bea30a4a969ce3ecccee4
-
Filesize
2KB
MD557a1eca5f104202990f464ae1d5979dd
SHA1e8f43810dba2425005599c413d6bb9f9a09499eb
SHA25607f4198f433856cb7fd512189ae7d9cb99815218b139f705aabcca9310d491f6
SHA512ab5e96be376463fa96809731fabe2b3d76e393eec5aba6da142dd7bac8ad4a5db630e8f2948bfc6517bdadaf8c38fbae37fbefcc5a3de3962f0d478922d2d32b
-
Filesize
2KB
MD5fef36c52b0ce7346e23c1ae6555eb3a3
SHA13054e3281665c0676045cb466a42eb5349799b34
SHA256280bb427a720dde643c676b8370568ad6fc4271bde495a5371f359701554fa68
SHA512346260d2ed6ef588eebe6482b3eb376585079a2a549cc7c5664cbe4abb16a783547da23b3cf676385a6deb3b987bdb833600315b098e6767b97da231fde723f6
-
Filesize
2KB
MD56c81f498a3f125cee4dbe6670bc3c5f8
SHA1e56743696110f9a763de636adb857d9ae1e138a4
SHA256bd0455f075be07b805c45185b299c98c82f58e45c922ca3edd843f9763c728e2
SHA5129ce72636b7f9e9f7ebb8c3de449498e26c515f9f3dedfe5795b5e1db0244c73f04455b9281b586121247031cd72d3108394afa2c08d78a5ccc3ad39dbe29cd79
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
Filesize
86B
MD5d11dedf80b85d8d9be3fec6bb292f64b
SHA1aab8783454819cd66ddf7871e887abdba138aef3
SHA2568029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA5126b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0
-
Filesize
4KB
MD5f0de3afb9f524d059f90de52a70fa516
SHA1dacd4565c59bff6908602f49b8bf66ffd357cc51
SHA2565c469fe723a770d20abb190726132320b6f1151f8779155a5a7c790201e675d3
SHA5123ca1ce311eb5389bf4fc263fcf70e9bc0e9777eb6edc0718a0f35bd440c8e255faa03af5c70a9eef27e041550c0c6f164c92ef0354786456f5b322cbbfb76256