30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultimate Tweaks.exe
Size

168.2MB
MD5

02c4b9609f04037960d947113bc2a017
SHA1

b593fc590fafb5e11ccceb199ff405874183c4e8
SHA256

3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
SHA512

d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
SSDEEP

1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ultimate Tweaks.exeUltimate Tweaks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe

Drops file in System32 directory 2 IoCs

Processes:

Ultimate Tweaks.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Ultimate Tweaks.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Ultimate Tweaks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3116	powershell.exe
2480	powershell.exe
3156	powershell.exe
2692	powershell.exe
744	powershell.exe
1972	powershell.exe
3452	powershell.exe
2676	powershell.exe
1772	powershell.exe
784	powershell.exe
1840	powershell.exe
4048	powershell.exe
1272	powershell.exe
1576	powershell.exe
3836	powershell.exe
3860	powershell.exe
4756	powershell.exe
4164	powershell.exe
4440	powershell.exe
1416	powershell.exe
2404	powershell.exe
4356	powershell.exe
1332	powershell.exe
4192	powershell.exe
2420	powershell.exe
1036	powershell.exe
2480	powershell.exe
2004	powershell.exe
3532	powershell.exe
384	powershell.exe
1772	powershell.exe
3196	powershell.exe
1272	powershell.exe
8	powershell.exe
4424	powershell.exe
3392	powershell.exe
1060	powershell.exe
2816	powershell.exe
968	powershell.exe
4100	powershell.exe
4848	powershell.exe
3116	powershell.exe
2520	powershell.exe
1608	powershell.exe
3780	powershell.exe
2296	powershell.exe
4744	powershell.exe
4740	powershell.exe
3400	powershell.exe
2348	powershell.exe
3068	powershell.exe
4792	powershell.exe
3444	powershell.exe
3156	powershell.exe
4208	powershell.exe
3244	powershell.exe
4412	powershell.exe
4304	powershell.exe
448	powershell.exe
5020	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ultimate Tweaks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3244	powershell.exe
3244	powershell.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
3244	powershell.exe
1272	powershell.exe
1272	powershell.exe
4356	powershell.exe
4356	powershell.exe
1272	powershell.exe
4356	powershell.exe
3836	powershell.exe
3836	powershell.exe
2480	powershell.exe
2480	powershell.exe
3836	powershell.exe
2480	powershell.exe
4412	powershell.exe
4412	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
4412	powershell.exe
2004	powershell.exe
2004	powershell.exe
8	powershell.exe
8	powershell.exe
2004	powershell.exe
8	powershell.exe
4424	powershell.exe
4424	powershell.exe
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
4424	powershell.exe
3400	powershell.exe
3400	powershell.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
3400	powershell.exe
3068	powershell.exe
3068	powershell.exe
2348	powershell.exe
2348	powershell.exe
3068	powershell.exe
2348	powershell.exe
3116	powershell.exe
3116	powershell.exe
1332	powershell.exe
1332	powershell.exe
3116	powershell.exe
1332	powershell.exe
4192	powershell.exe
4192	powershell.exe
2480	powershell.exe
2480	powershell.exe
4192	powershell.exe
2480	powershell.exe
4792	powershell.exe
4792	powershell.exe
4756	powershell.exe
4756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Ultimate Tweaks.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	3244	powershell.exe
Token: SeSecurityPrivilege	3244	powershell.exe
Token: SeTakeOwnershipPrivilege	3244	powershell.exe
Token: SeLoadDriverPrivilege	3244	powershell.exe
Token: SeSystemProfilePrivilege	3244	powershell.exe
Token: SeSystemtimePrivilege	3244	powershell.exe
Token: SeProfSingleProcessPrivilege	3244	powershell.exe
Token: SeIncBasePriorityPrivilege	3244	powershell.exe
Token: SeCreatePagefilePrivilege	3244	powershell.exe
Token: SeBackupPrivilege	3244	powershell.exe
Token: SeRestorePrivilege	3244	powershell.exe
Token: SeShutdownPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeSystemEnvironmentPrivilege	3244	powershell.exe
Token: SeRemoteShutdownPrivilege	3244	powershell.exe
Token: SeUndockPrivilege	3244	powershell.exe
Token: SeManageVolumePrivilege	3244	powershell.exe
Token: 33	3244	powershell.exe
Token: 34	3244	powershell.exe
Token: 35	3244	powershell.exe
Token: 36	3244	powershell.exe
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeIncreaseQuotaPrivilege	1272	powershell.exe
Token: SeSecurityPrivilege	1272	powershell.exe
Token: SeTakeOwnershipPrivilege	1272	powershell.exe
Token: SeLoadDriverPrivilege	1272	powershell.exe
Token: SeSystemProfilePrivilege	1272	powershell.exe
Token: SeSystemtimePrivilege	1272	powershell.exe
Token: SeProfSingleProcessPrivilege	1272	powershell.exe
Token: SeIncBasePriorityPrivilege	1272	powershell.exe
Token: SeCreatePagefilePrivilege	1272	powershell.exe
Token: SeBackupPrivilege	1272	powershell.exe
Token: SeRestorePrivilege	1272	powershell.exe
Token: SeShutdownPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeSystemEnvironmentPrivilege	1272	powershell.exe
Token: SeRemoteShutdownPrivilege	1272	powershell.exe
Token: SeUndockPrivilege	1272	powershell.exe
Token: SeManageVolumePrivilege	1272	powershell.exe
Token: 33	1272	powershell.exe
Token: 34	1272	powershell.exe
Token: 35	1272	powershell.exe
Token: 36	1272	powershell.exe
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	3164	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	3164	Ultimate Tweaks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ultimate Tweaks.exeUltimate Tweaks.execmd.exe

description	pid	process	target process
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1632	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 2564	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 2564	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1636	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 3164 wrote to memory of 1636	3164	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1636 wrote to memory of 1628	1636	Ultimate Tweaks.exe	cmd.exe
PID 1636 wrote to memory of 1628	1636	Ultimate Tweaks.exe	cmd.exe
PID 1628 wrote to memory of 3520	1628	cmd.exe	chcp.com
PID 1628 wrote to memory of 3520	1628	cmd.exe	chcp.com
PID 1636 wrote to memory of 3196	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 3196	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 3244	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 3244	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 4356	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 4356	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 1272	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 1272	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 2480	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 2480	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 3836	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 3836	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 1840	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 1840	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 4412	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 4412	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 2004	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 2004	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 8	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 8	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 2816	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 2816	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 4424	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 4424	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 3860	1636	Ultimate Tweaks.exe	powershell.exe
PID 1636 wrote to memory of 3860	1636	Ultimate Tweaks.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1716 --field-trial-handle=1720,i,10911969384726059198,7761384645731330154,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2096 --field-trial-handle=1720,i,10911969384726059198,7761384645731330154,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2376 --field-trial-handle=1720,i,10911969384726059198,7761384645731330154,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4208
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1152 --field-trial-handle=1720,i,10911969384726059198,7761384645731330154,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
18b727ed059ba7f163c2e4a831debbca

SHA1
1645057f57e1b680df861bbc20e5a55c880d7a0d

SHA256
ab28e0f0a6884c002804fb5315b451664a1fdf2fea0244436c6b9849273ab33a

SHA512
31e91d6222c8b3e71748073fe78330c4a7cb773b457ef92f0c42cc40f836e06804e9a7f76e6c874edb5258f4c81b39ec2c222c766ba54d94019f6bdaa0aa5558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b49cc7ec667e634b1869655b839d5dfa

SHA1
b094659229e8c0a86129732a142931c198c9cfff

SHA256
c60e7ef9b36a727ec981bf948b4f66b8ab8d971ddcf9d152a4c5de7da776b3db

SHA512
e6526c950e44c09d89bf504cde835f373c0987d6b59899224b3ff907dcebce169249aa995905463b84ab789d7bb439cbdc71bfa0df6c8d94d6cff2903784b359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d73a4ac7beed9c37ef46954c9ac87691

SHA1
98347e10f64e0734e0a13c5e0be5d914e246676a

SHA256
6435459904e7048c2d50d4c8c1e5f8530cd53ef7af4f1326abade4f42ae9534d

SHA512
cd9881b77f0ae80fc0ead126f5c1585f36055c0b910677acfef187304fadaca5917166191fa52007b80528e2b3819cc452c599f911312892916fa32a1607d37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
61ce1da1efa535bfe3b89f1bc0979dc6

SHA1
80e0befa375bbc33a0cc8ae9d69b1395a26da0a1

SHA256
d197fc2a5101d9e7fcf8001b9e938575df0032c0248beba0e4c54aedcdfaab40

SHA512
f1bdbd083d1d574f8e45181af141d34f4f8e3740d146b437ef974bcf656aeee3b6ce436c96e78145b78072d187da1283daea9fa8686cc55447a7d6fa380644e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
74d90dd05d9f31725676c129f41c3cd9

SHA1
d2cee7a8cdfce0ad58c8c23e355ee794626fe69d

SHA256
16675a21590f561d8c834273db75c63d7655965db831cd4c426a15cbd41c0abc

SHA512
d3806b5344b883db4ebf316b26cf3827689df06e6c23a486396e84077f6cafa8e61e664b8f04c6ee771acbc4c426e7b1cea6f62e2f03a41e74d262ce7bacf747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5e0e0c9487dc07ce51e71bc5cc058579

SHA1
f87fa342b5268a99c67424cc5e3c7d059763d374

SHA256
cd6e3fc674cd82f4e28420cea7d7755e2aaad5a05622630b915e84b94262353f

SHA512
dcd41c7591a29b91fcd90816c0826a81f3d6aef9b239676e6a4de6cfcaa6bb622d7df0ff22c34f9edf6ce84e515aac8130dd70a72e8dcaddd76b76cbaaf9f26b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fb692933d0fcaa62d4816c6bc139cdaf

SHA1
3811c2ac9c0a4580c771431acb23f4e6db4b81a7

SHA256
513748489b72563524897f4d81db01828bfd1725f75cdefe4b5c4462edb7c27a

SHA512
3ee79657086393b31a4e934f459954a3ca9c27860b429fb4f560f03970f45e12648ea6351e0068fb885062e00e94e013906cf3083f958d9ca8dd427da4c2ceda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a4ad537fed99204f9f0b8cf52c2c068b

SHA1
e1af6ec3fdeabe431d636d9b6d5e4c2c46080e56

SHA256
7643b1633d0814a58218dae0ee70db9e8dec1d2ee5d9fcf1b9a577fb539307a9

SHA512
5125f08d6ffae24c8316b40e6093ecf170d9050d33930f37f765fb26c3ac024564949a0a2100f7293bc0e427bb6904f2ce0cf1bb4b40d50d4578f0ad447dadae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8aed5a30848f56f1e7194b0165c4e49b

SHA1
a8a057f6bc302f7c05f544ce996cbbeb956c31e6

SHA256
42f23687f3c834a893096822c25606e49bbf61296cf3d241a2d0cb702970eb21

SHA512
8343c1b236a4ce11386c92c4ee99766a183adeb8ae6adf77125c7568695f24b220fcfe9fb125b90e9914f91cd9b5f5128110bb93ca6395f2232f6f448aff50a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
658446355be11187196172db0303d5c7

SHA1
fd9905974a0fbb1a3ad543ef6fb200f6f276701c

SHA256
ba73c6392be70ee35b7e91099aa8f4aace94dfa7f8b7b9f9ba16605e73f2688c

SHA512
17ea6e402f82fd56af74cdbab1120c72ce01f25b257f127f28901e7a1ff601318d4f2520f57b4204cddb989277d82c90833ce8afa93ee1f0deb78e8d6ab2c6b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ebbc6420dbf814244c8395104e8f2ed6

SHA1
e0faf2dfb58b8b8fffde7deb70ac94ec2e357a69

SHA256
a957d46387663abb465320ce02d3c673707a936f7e8365beab89d80d4ed39faf

SHA512
d2cc95983c33f58657908d23809e240266fc7840ba7c67963ac7b72a2aac1d5d45f81caf4a513efb60cd4214c9a5e3fc14cff227c387740eddd2268bd11ad49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
507cbc667a69451295eb3fc49e5f3539

SHA1
d6f644f3b159c81a9cc1f0d9bc9683c014a0b29c

SHA256
47e4f4e7d3add03229dfac5cb4d0aefdfb1b67670ebe856eb23144aaf796ca8e

SHA512
fb2fea816e465205e3f13bffdb8bf3f7b9970593e79087f1ca69892788d1fc0e6932ecf322bc69eec5f063346598c6e66f373a68e6f6d28bc49c4f3106251e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
1c50390b69295ca6f2b02ec4227e7eeb

SHA1
00f2d18cd5302151d11feede3d6beb8b89455f7e

SHA256
937ce200c7c236a3da914fcbd39a91cd6f25e2935175066cafb111d33961f557

SHA512
01b44ab2ca512b00ff8b1bffe1c3cd09febf391e1031fa7562263f0f7cc72fa7930c56bcf400897c6a1a93714b540553492fbcde293369bdfaedf056809720b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2ad979c480d49dcfe52ce935e45fb5a8

SHA1
3376e614469c3e700a2f2261b2c7af9cdbb47f38

SHA256
fd18542e16e6f74bfa725570095028e95fe67ba7e0b3cb4c7960733e8680bc5e

SHA512
33a02703366552e62c21f9584df016a776ec2f9f528c0df5e43c5605b1ecc11f9013ba2683114258c5621bf31501b6e0fd9b222e56ac21c694ad225e15adff00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5f4298a4032b0d65b1be3dec13bde606

SHA1
58d091800012c1b6cd7d9239e209b0499d52b4fd

SHA256
53fe511c61c94e4a8068733af304844084209de015ce7795ad18c4992ad6c2e0

SHA512
238d2464e3f6390b9d8fb88e089d649b75b0fab08fc9f0ab7c16d295d9d3f85f8de97e06c434e1267261e7a9ce499ef9020fdd4c87e3a355bf324727669e7cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ec6ca1d27f65b8532d7911cfbf04c8ff

SHA1
7c4c01dd42f289635a20d7f3cbf91ad196d79a4b

SHA256
1c2574d71454a0511c9b2155240ccb550a290f2d6f01c558def28b24b0897f38

SHA512
8e04f6795f2f612033d4c8e64bbb13d12929d6a2ce2956d896ed5be9d0dc38655a40dfea44407f162793b21f44c8511673998d32b9401deb802b92344e61915e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e82bcdd3cb1493db0a6c9f28d6b2d87f

SHA1
d092a0210316454f464b55da1cf5f8fb11f3a738

SHA256
40975f249cd89d20fc8d6d35804592425f70094dc0fd4b98fa5a3bde75a0b34a

SHA512
fba40977aa5197955b8e5b976485d4575690dd958300803f9f481b6aa8740c958b98c9cddecdfecf1130357c55faf7ee28323b53bc8c6af22436b0cae80df252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7fb05da22cda7e2c5a3eba30cfa29a3e

SHA1
b9572b9b0a1023be71e67dee3fe3ce575068bdac

SHA256
dc181e0e35bc6a99ace16584cf4f757c1c9cbbfa0f2d6366e4643790a94b8d2a

SHA512
79774238ce03c7d9799571bb8d5f8596cfef61db75ad98003c3a619a9b99d94293b06ee33cfc1e6a2fc517b2e8b5237cd492832692ee5ac9a367e6e405c88bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5b9c5d2eb803c93459e8425d4066faaa

SHA1
ce9df1e91104bfe57b8a48ef31a13920ea7cf39f

SHA256
f8fe1abff003003b443fcfcb47108579f2f241151a1ac93cf90baf81f7c3b2fb

SHA512
724a9ce7efa731dbf79b5bab8a6c240a279439255d10b46677d9d111c671d93e1a3e71f411c97c4a498452fa1fb27ea5762084d798042476ecb49209dbec8ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
62e2ba7a058f1c1b5a021c83d8a9deb2

SHA1
7c957088ec377a17d0bbb9b62959619ed583086b

SHA256
59fd9af60d9fe6ca0c62f508a1f276d872c9a1e601d533b31098bb84ef3fc7fc

SHA512
54f4c1710b39af8bfcc4894dee3a5b6c55956bcd271b47e698a5260eb4d88a87503ce58801c728ad3301396eb32af8b6536acddc72e12ad28378f4c04fb80495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
1d68cb07d8ab339ced06c2a38e981fe3

SHA1
5c0c1b7da97f5467ec5acdb7c13b6c1b52396d35

SHA256
c640d7ef91d1511261bd4e4d5f5e900f01e20fe1fe357760895e802d9fcded51

SHA512
cc01032bca73fce514dcc929089b13a4e5d87e3ad37b51b0058e5d81cc3a220737825fc18578643771155ff942f1163ce15b3752371be7cf3c180c90257e85cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
254B

MD5
f06edf31b2781f5c70eb84b9e2b92c3f

SHA1
0cafb2c0e5d48e185f22e97bc8bbf8b2a382c6e9

SHA256
5c3908323e6ee45ec4a44125cc4e09390a975fdca3c91b6f8a43cb316a94c64a

SHA512
1bf68563f380dd60a3d876314c160551fcf23c0bb4775704c515a36e222278f46b30615c0c29f7ff4f4c6908dbaac024c537971b8d7e53eb76f38963b1faf03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8138ac6ee7bca0d1bc7edebb4925f433

SHA1
3dc63a099aca13429ca9bc04a65dd2ddf741d52f

SHA256
c3d997a589bb7e951a04f2f37f357529220a9b2ae61138f99d3f2ce5b0833066

SHA512
b82856993260549d942e1d1049468a9406d15899ce85fefd7d2ab1b01b6c821764aad7699d3bfff0ce7d95611012701f4a632137e22302ac60f331754c0cd0ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
912ac4ed9584248eeab01046819f5eb0

SHA1
22e87af4a16cd61271ea8b8072c6cc758750c40e

SHA256
1e2e9eabcc9dba920b0e574650d250d986eff6b43b2e5e987a3bf2a8284ecb4e

SHA512
89004e2498f582c373620efa525b11c5a8031b07b6d0ba2e87a0ea19b6826831096414e883cbe937a496e034390f3be13f76070350f5a6da64cc0618f07cd95f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7ac4e9500806cf428e5370cda46c966d

SHA1
1149130ded18f0b97264ac2dc0babff57e08a096

SHA256
87b2e3c0f2b10e5fb7870ee14f1944039fdced7fc57e4fb0692a2df274df0fae

SHA512
6a1b9b2f42ebec7749fa0ede30f084e32e12f6bca6dd401f0e0e5e4e886484b24d64de6ce30c69e1a1e7b4ecd20213bffafa81dda23083cd715883dcd162e23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
84d8be45b20397df969229ff4d83adc5

SHA1
89662a0e729e86d2ae4fc8ef642527fe77aa01ab

SHA256
6ff951bef8771a09ed4b24e376c3b7381f037a87301bcf4b256b13a9d11b4871

SHA512
39111fe3f6e9d9ed098186a48390b7bd55903c0b10c70db8fc9d80960a5c90382d6ab9a671df5010bd6f8a1b916563e564aa6f51dc2339749bd02b6836bbb8e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a584960aed5035ce1de4460d21eb60dd

SHA1
78bfb638704aeab82b523a4a88162ae44bfd3a0b

SHA256
f3fe932e09876f4cc973af2700227213c567ff95a9137cbef519fbb9f3880df0

SHA512
6dcc68b3561580d70362346b1fdb62dcd28d51560488d0f198f8c21efb2ca47cc347bb20e596c38b352b4a312fc2c1915b881464d60ff757e987b01f74de42e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
076ffed23fdcfa5dafd84a966c0b5822

SHA1
0b6763b8eb2ac32133dc5dd7bcd1e852f081d432

SHA256
54daba77278e53564ad83de9964c55abc9f084d1add3c6b15a418e0e7cf88d35

SHA512
82e6923948e6aca58538d6b924ff46d4523a56dff3a2f4e8b80190f36e03104832ac97f39458b9158744fde33fca0aae299de1472c2ab6e3cb7f50cea2dc0f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
375dce2c43a79c6a9c15a397f70923fe

SHA1
defc7166a01e32f49787edc49852227a62d4acad

SHA256
0f35a86a71fb259674917eee067aba58c66590995121437fd0344e2bda0732ed

SHA512
cf44e462d790bb45a97f540e2309a931df152b28f5914156e5e85c1710a01d1fcebb5f732f17e56442924906e3f5db2f3bb51792182ceb499f6bc3c47969cc49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d91f90a3d5f8936b719a7f8f730c7bbb

SHA1
d2171033a287f3fe343314b1f046fdfc71db62aa

SHA256
9379c3639d9f5569a423d4343222a4743b0cea56a3a0716ae7c014ece7cc12fe

SHA512
46ffd8e564766432f880be60264ee3273b9430a78fe86dea2a3cfe518042456f15e777b9725191d9c893d50b02fefd4fb8c63167594c219dd7795e50838cf4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3c2uk5c.20x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
966B

MD5
3e23bbbc90f222ec7cd6e801eb298a76

SHA1
0b7df018157635d9cc0309a58452f1eaa2b8a65a

SHA256
c6d2baa021160fc7e81fd64d10521bc1ec4a55c6f1ecf8f35282161f98d9bf06

SHA512
2c75b2cebba1f3b6eacf95e9355d1c68161795143b30d3a0598c08d37db27f07affb59c5daf3f4495787d82daa43962145aac56d8cc2b5b7ff376e671efd025a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58d7dd.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57eb2b.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log

Filesize
4KB

MD5
9194092d49f8a4d31b5b6244b77f33da

SHA1
bca6c7fb909dbe52ef44725c022b795850680e9c

SHA256
3056f072abdbe483061bf851d96010f682e9738a3b7fe10830271d93a48fd00e

SHA512
9aabc9d318440f24a66de39e91b49a30a40ef491f5b796471c2f6438b16b927b6f7044d974649dca19417d2fefb11c5046880f6059ea7e35982ba8e41ea72c5f

Download Submit
memory/8-1040-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1041-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1048-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1047-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1046-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1045-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1050-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1039-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1049-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/8-1051-0x0000019C5AE00000-0x0000019C5AE01000-memory.dmp

Filesize
4KB

Download
memory/3196-87-0x0000027CC9540000-0x0000027CC9584000-memory.dmp

Filesize
272KB

Download
memory/3196-88-0x0000027CC9990000-0x0000027CC9A06000-memory.dmp

Filesize
472KB

Download
memory/3244-68-0x000001B10DEF0000-0x000001B10DF12000-memory.dmp

Filesize
136KB

Download
memory/3244-93-0x000001B126550000-0x000001B12657A000-memory.dmp

Filesize
168KB

Download
memory/3244-94-0x000001B126550000-0x000001B126574000-memory.dmp

Filesize
144KB

Download