221944cf8cf33d706f1418545c2cc5f375743e0cb2db913ceda97b7eef31f776

Resubmissions

04/09/2024, 18:54

240904-xkj9kavdjq 9

04/09/2024, 18:42

240904-xcj9lawdkc 9

Analysis

max time kernel
148s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/09/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MixerLapx.exe
Size

177.5MB
MD5

52ca1f3fae0ed5d90a9700949e63639b
SHA1

1e4d11282529e87a0652249bbcc4ba4953e82ba8
SHA256

a1e27c69e0d104f6f89ef98d5baa6718fc3de16462c0a7063552383b845eefe6
SHA512

64ffdecf041ad2c08351aa8986a73cd87c64f1a5c6ac394c48075fe4b9cc6f3fa865d5daf79a4081146d879d235d6bec2eb83e6662461c1a7a1a6d4cd3b5d945
SSDEEP

1572864:t6SlyW//ASwc0eKrtjR3QelIHvSfIc7ro6f1cVYc+lj3PVXaC2DPLTCncMHzNHt9:o4KZxQrFQl

Score

9^/10

credential_access discovery execution spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 47 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
2164	powershell.exe
224	powershell.exe
1372	powershell.exe
4316	powershell.exe
3968	powershell.exe
1364	powershell.exe
3136	powershell.exe
744	powershell.exe
3888	powershell.exe
1248	powershell.exe
1428	powershell.exe
3704	powershell.exe
1860	powershell.exe
4088	powershell.exe
1924	powershell.exe
4620	powershell.exe
3168	powershell.exe
2864	powershell.exe
2104	powershell.exe
2288	powershell.exe
5016	powershell.exe
428	powershell.exe
3236	powershell.exe
1952	powershell.exe
5008	powershell.exe
2788	powershell.exe
2920	powershell.exe
2076	powershell.exe
1196	powershell.exe
2100	powershell.exe
3172	powershell.exe
3716	powershell.exe
1256	powershell.exe
2860	powershell.exe
3416	powershell.exe
1524	powershell.exe
404	powershell.exe
1908	powershell.exe
3628	powershell.exe
4868	powershell.exe
4876	powershell.exe
3312	powershell.exe
1144	powershell.exe
4860	powershell.exe
4868	powershell.exe
1840	powershell.exe
2924	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
404	powershell.exe
404	powershell.exe
2864	powershell.exe
2864	powershell.exe
2104	powershell.exe
2104	powershell.exe
1428	powershell.exe
1428	powershell.exe
3172	powershell.exe
3172	powershell.exe
4316	powershell.exe
4316	powershell.exe
3704	powershell.exe
3704	powershell.exe
1860	powershell.exe
1860	powershell.exe
3968	powershell.exe
3968	powershell.exe
4088	powershell.exe
4088	powershell.exe
1364	powershell.exe
1364	powershell.exe
2288	powershell.exe
2288	powershell.exe
4868	powershell.exe
4868	powershell.exe
3136	powershell.exe
3136	powershell.exe
3716	powershell.exe
3716	powershell.exe
2164	powershell.exe
2164	powershell.exe
1840	powershell.exe
1840	powershell.exe
224	powershell.exe
224	powershell.exe
744	powershell.exe
744	powershell.exe
3888	powershell.exe
3888	powershell.exe
1908	powershell.exe
1908	powershell.exe
5016	powershell.exe
5016	powershell.exe
3628	powershell.exe
3628	powershell.exe
4868	powershell.exe
4868	powershell.exe
2920	powershell.exe
2920	powershell.exe
1372	powershell.exe
1372	powershell.exe
4876	powershell.exe
4876	powershell.exe
2076	powershell.exe
2076	powershell.exe
5008	powershell.exe
5008	powershell.exe
1196	powershell.exe
1196	powershell.exe
2788	powershell.exe
2788	powershell.exe
3312	powershell.exe
3312	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	powershell.exe
Token: SeIncreaseQuotaPrivilege	404	powershell.exe
Token: SeSecurityPrivilege	404	powershell.exe
Token: SeTakeOwnershipPrivilege	404	powershell.exe
Token: SeLoadDriverPrivilege	404	powershell.exe
Token: SeSystemProfilePrivilege	404	powershell.exe
Token: SeSystemtimePrivilege	404	powershell.exe
Token: SeProfSingleProcessPrivilege	404	powershell.exe
Token: SeIncBasePriorityPrivilege	404	powershell.exe
Token: SeCreatePagefilePrivilege	404	powershell.exe
Token: SeBackupPrivilege	404	powershell.exe
Token: SeRestorePrivilege	404	powershell.exe
Token: SeShutdownPrivilege	404	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeSystemEnvironmentPrivilege	404	powershell.exe
Token: SeRemoteShutdownPrivilege	404	powershell.exe
Token: SeUndockPrivilege	404	powershell.exe
Token: SeManageVolumePrivilege	404	powershell.exe
Token: 33	404	powershell.exe
Token: 34	404	powershell.exe
Token: 35	404	powershell.exe
Token: 36	404	powershell.exe
Token: SeShutdownPrivilege	4904	MixerLapx.exe
Token: SeCreatePagefilePrivilege	4904	MixerLapx.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeIncreaseQuotaPrivilege	2864	powershell.exe
Token: SeSecurityPrivilege	2864	powershell.exe
Token: SeTakeOwnershipPrivilege	2864	powershell.exe
Token: SeLoadDriverPrivilege	2864	powershell.exe
Token: SeSystemProfilePrivilege	2864	powershell.exe
Token: SeSystemtimePrivilege	2864	powershell.exe
Token: SeProfSingleProcessPrivilege	2864	powershell.exe
Token: SeIncBasePriorityPrivilege	2864	powershell.exe
Token: SeCreatePagefilePrivilege	2864	powershell.exe
Token: SeBackupPrivilege	2864	powershell.exe
Token: SeRestorePrivilege	2864	powershell.exe
Token: SeShutdownPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeSystemEnvironmentPrivilege	2864	powershell.exe
Token: SeRemoteShutdownPrivilege	2864	powershell.exe
Token: SeUndockPrivilege	2864	powershell.exe
Token: SeManageVolumePrivilege	2864	powershell.exe
Token: 33	2864	powershell.exe
Token: 34	2864	powershell.exe
Token: 35	2864	powershell.exe
Token: 36	2864	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeIncreaseQuotaPrivilege	2104	powershell.exe
Token: SeSecurityPrivilege	2104	powershell.exe
Token: SeTakeOwnershipPrivilege	2104	powershell.exe
Token: SeLoadDriverPrivilege	2104	powershell.exe
Token: SeSystemProfilePrivilege	2104	powershell.exe
Token: SeSystemtimePrivilege	2104	powershell.exe
Token: SeProfSingleProcessPrivilege	2104	powershell.exe
Token: SeIncBasePriorityPrivilege	2104	powershell.exe
Token: SeCreatePagefilePrivilege	2104	powershell.exe
Token: SeBackupPrivilege	2104	powershell.exe
Token: SeRestorePrivilege	2104	powershell.exe
Token: SeShutdownPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeSystemEnvironmentPrivilege	2104	powershell.exe
Token: SeRemoteShutdownPrivilege	2104	powershell.exe
Token: SeUndockPrivilege	2104	powershell.exe
Token: SeManageVolumePrivilege	2104	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 2676	4904	MixerLapx.exe	78
PID 4904 wrote to memory of 4996	4904	MixerLapx.exe	79
PID 4904 wrote to memory of 4996	4904	MixerLapx.exe	79
PID 4904 wrote to memory of 404	4904	MixerLapx.exe	80
PID 4904 wrote to memory of 404	4904	MixerLapx.exe	80
PID 4904 wrote to memory of 2864	4904	MixerLapx.exe	83
PID 4904 wrote to memory of 2864	4904	MixerLapx.exe	83
PID 4904 wrote to memory of 2104	4904	MixerLapx.exe	85
PID 4904 wrote to memory of 2104	4904	MixerLapx.exe	85
PID 4904 wrote to memory of 1428	4904	MixerLapx.exe	87
PID 4904 wrote to memory of 1428	4904	MixerLapx.exe	87
PID 4904 wrote to memory of 3172	4904	MixerLapx.exe	89
PID 4904 wrote to memory of 3172	4904	MixerLapx.exe	89
PID 4904 wrote to memory of 4316	4904	MixerLapx.exe	91
PID 4904 wrote to memory of 4316	4904	MixerLapx.exe	91
PID 4904 wrote to memory of 3704	4904	MixerLapx.exe	93
PID 4904 wrote to memory of 3704	4904	MixerLapx.exe	93
PID 4904 wrote to memory of 1860	4904	MixerLapx.exe	95
PID 4904 wrote to memory of 1860	4904	MixerLapx.exe	95
PID 4904 wrote to memory of 3968	4904	MixerLapx.exe	97
PID 4904 wrote to memory of 3968	4904	MixerLapx.exe	97
PID 4904 wrote to memory of 4088	4904	MixerLapx.exe	99
PID 4904 wrote to memory of 4088	4904	MixerLapx.exe	99
PID 4904 wrote to memory of 1364	4904	MixerLapx.exe	101
PID 4904 wrote to memory of 1364	4904	MixerLapx.exe	101
PID 4904 wrote to memory of 2288	4904	MixerLapx.exe	103
PID 4904 wrote to memory of 2288	4904	MixerLapx.exe	103
PID 4904 wrote to memory of 4868	4904	MixerLapx.exe	105
PID 4904 wrote to memory of 4868	4904	MixerLapx.exe	105
PID 4904 wrote to memory of 3136	4904	MixerLapx.exe	107
PID 4904 wrote to memory of 3136	4904	MixerLapx.exe	107
PID 4904 wrote to memory of 3716	4904	MixerLapx.exe	109
PID 4904 wrote to memory of 3716	4904	MixerLapx.exe	109
PID 4904 wrote to memory of 2164	4904	MixerLapx.exe	111
PID 4904 wrote to memory of 2164	4904	MixerLapx.exe	111

C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe
"C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe
  "C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\MixerLapx" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1732,i,8389946985216925217,14661751096140448849,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1724 /prefetch:2
  2⤵
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe
  "C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\MixerLapx" --field-trial-handle=1920,i,8389946985216925217,14661751096140448849,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1880 /prefetch:11
  2⤵
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:4252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
05850c6c0442ea6966fe2a888f219f4b

SHA1
e6b1c8eb783b307672a6f06b785a7e9b78633b46

SHA256
f51b54c5f5074076216b2d0a3e66c13e80d8f1da311614ec15c9170dff11ad5a

SHA512
9db20e00e103700f67256568e38f9b37f29af3c30f3454a38b3e033c6c2f6bd796c5b5a8c5faa98bb45d7521d76c2bf323d503b8a0196cacbd701167d441c6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a515662f521977e40b5a5f306a5345b

SHA1
98969bb20c98edef9f853a96534ef38f8f1a74c7

SHA256
1aef5758cecf185fc9b50dcb925ae780c4bc46282cf60e550d41ebfa2ed12937

SHA512
9903f4d8db35c4f1ef027391e79cd1084dc20762f6c85f1de1b9f6566e99fe35625a1199d09eca3a54a1c631f09010cbb70a03dfaf2357d21ccd4cfcfeec575c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b60753f1763226fa013c310fe75b204e

SHA1
642168f7e4788c211cb6e3aee19174307bc02c19

SHA256
ededac6cc3f49187e070c1fd3d2a785fd3fadc520507efc88140b95282f12701

SHA512
c6c5f6a6ea0e2b6ef1c0f04184db75adf8928a221c0ebbd92d9e7345e1e27d8f6c4d509b8ed58b1e526b993b6760c832609fcc01e9939b1df442edb847d02ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbd10c66a0b9614a6831e9bb184e7dbc

SHA1
6799903e8531ef431b841ed143ac817c67e40de1

SHA256
63a20b5ffbf77d6c244ddffd6c1fa536f22affdea2a96b6f11269742c5d34d23

SHA512
3f2e2d423cc1c6af92a7d0f92eb7fc442f44cf5081331b78188e25967f12b3a71928243101514e70aaa1c03cd69ec77cdaebc0613c00934d77c7bdc9935ae46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f782971af42d24e93b5d5b3c6665b796

SHA1
fd3737faad567f934555459a396a1c8ce5ccc5d7

SHA256
fefaa6415a4be8a3f326f4fa1f99769b2b61e17928ac29f098bbcaaec1a74d90

SHA512
3f601f882f10e39025a01cba14a91920bf5bdfd7a8cc9a7fa96b5ac77eb2cb32d9e8521275f1fc2cc909b44b0b501630befc257dd373953e938b0dea74b4ef30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ab6c891f4e064a78ef404eb282eecd1

SHA1
5877f47642507b039e205866f9bdf8ad114d5ff9

SHA256
5b398adf4f43d246b884c7bb77ad740cb4b67200e7e08065636ee31cc7172f19

SHA512
916ce5841992a8aadcafbb5314a04f7f9d9269437cf68993e2342e7de165890053b5f3417ab5676c4613256716c0c76cace271737600e833d7232ae2d7200986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8456f1b8d8b1ece80a77539468b177f3

SHA1
1682f926d4cfdbaec7daa25fb70a9c658086a193

SHA256
9ebb407a8acf95acb1a1521e63040a32c9a503a8c33cf87af1e434a868f48567

SHA512
b5653fc1aeaf301e0db058ddba2aef0e75e64594bbb0b21aff5aa13fe4bb1aa517afa1ddbc6f016098b01f2a72721770c8d99fcd0363bff76e747d0e17c3c93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb731ea244b86f832bf2c4d53d057714

SHA1
43d79305326230cab068cb1e1ca8c023d26031ef

SHA256
d4756ea84adb30607409ed640b9a3040ed03888a4048146eda6bcf5fee6d32c4

SHA512
6006b965ef273e12cafc0c947d6dae9dda4f7888ae206f8cf286c9ba81e055f4b15a838415af1bfa336e8ed2fd20b950ab38d11e12e4151733deaeec7f718390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
564ca41cec1fc4fbca8ecba8c97e3a94

SHA1
a29902990099202ef24c8719dd4af0d6b8b0c19b

SHA256
3e0a00adc179574f1598b801aea7e27e23d0dc91c5e7e35d813d44d0291b66b2

SHA512
7fa21d6465702814cd2ed3d6306aeb8c1acab3fb126919cbede1ff436d7eb4a238c7a84cf985b1e08938e9493d3b0c95075419e8ce21356540c2fa9d5f0aae1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8c5d66e32b1b6492c4bc2b457719c1e

SHA1
3fb708e6e9a8f21973b07b32888f0d5378645e63

SHA256
555a853cf629a81def14aca7ea72e3604b113bff010956cb3771308081a49d72

SHA512
a27e9860050dc334b43beb9a91ef767010a93b63b4422de0a811b73ba17c1288c57c5c59203a7ae4242a2c1ee7e11f3baf94a9386839466312ebc702c27c02f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c660f6d89506ec1cfabc2094da3cc4c

SHA1
11a0408b1cb69a8d4fbfcdc23be573866e0a7764

SHA256
39782836ea8eb028f65359bbb73b1980bce132ea5a97e230075e2fd4d1730ec8

SHA512
c56b3bf5cda6575a7e03b089fc9361153c582bade92436affff43715c5f03c0c09e7fed911afe4c68310ecb9c94c0e71b676feec697ed3d939903b71f46b4348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bf24cb5afce6a795556c5f78e5596d1

SHA1
346f801251325229af06f880c0df9b146d29b2cc

SHA256
1a9adebf24ba029a5dd5a93807b745becae8790bc5bc7309257ae09bdb66d08d

SHA512
538e400a94c04af4ec99c6b00f96a50822aa6c397bed8b4fdc38f045633558f1a7ab8ac67bcf96d1da2f588d90b8f586aed65818cb7062b6f9b9d3a9dbfe6872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c39e433eee038dc16df911141a8df92

SHA1
38d4da7daa9422c59502b6737a0ffe524328282b

SHA256
9232acf8ac11e7e14b02ca45f88c76d3235c6721ef3a7a89c2d19e052efc6a92

SHA512
15f571027325167404db978223751840dfbcca40ef8cdaebf29dcecb7f5d2f03a331220e2a7c445b127035250a38b6e85555b658fdd8ab35e9cfc93ac4e035c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee46f130f6e0a3d27fba7d3b7f73ff5b

SHA1
e9518be88fd5aaff3b45d97605031f7df08b3d3b

SHA256
bfc7cdd81857f8b89dc8fb94790ea6ccb76ef51c7e9ae405b354e648e969ca80

SHA512
aa34a9f0847025c742203d2738efdca01fcfd3821350f90184c91dd8b1ac6d9a28890278595f24c97136732c703fe27d136e9ae6903068a47836ad98693f930a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ab123fb90422307828bb30c5c28529ef

SHA1
27a5d077882ac90932a53310bcdefec02b91e7d8

SHA256
fbf81d6de56047883ac052d7cc699dd86656ff4d0367f9c522321c9c500c1a61

SHA512
cbddd14a3499d48f28bbbc0d412b19614a03588fd75b7c6798a0cb25f4b366ddeeed9a5088062e06d5be00798544bdce65fb99bf3cc38d531f37508b3ddf03a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e536b3c0ebbe1d2bcccd82c98c0ff77d

SHA1
7bc3c1362335d99271d27313baaf951665fd95e1

SHA256
c100cc94cc031f3482d6668ec9b5bce6b150ee70b057c9f3f7aabda97a5eb509

SHA512
b4a613bbd6b896c25346e76fadc71904ad172be164b127ee6b6f993ba4addcbdda2e13ead4f60b8050d7faf9ea945283667bd9f6b2a4f013d6af4530048b82e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a08bf462767aac1490b1df175cca8b63

SHA1
7fe94497e1addcfab78c3f0b4c87ea101edf3ca6

SHA256
1fd166ece860c3219b62a527841a69874c0f17c459f396fde3e847c971776d9f

SHA512
5fbeede3bde895f5e333415eb0a09c05b7fffe08740a79eb5342028b873d845bb49ef427b1f963e6c6a7ee62ec73e90455904992729423644f8498b48bc7715b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b4fdd998ca4da8248bb7216d35ca3c8

SHA1
22a5a75dd06e6449abaa2f84f80c37fa0b40bb44

SHA256
0772daedcaf81482534d8e74b5e7312db84414b334b79b23e124e5cf0dbc9b0a

SHA512
fd16474b93e949d406889d990ded819aaf08695dfd6b054feed056ea403026b5035aa44d9be55075812be6c0ceddb726cd5a8154ca59b895467d69b40f06882a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9edf4ff6d9d1ca128c97b5b46dbcb4be

SHA1
76f8549c17fd3e7c4b74b656a22bdb424e89fdda

SHA256
e8ec965d2e003fc6e23d7602664b66f1ddb36ab880a121648af0ab2fa56c874e

SHA512
70a7aad65970a2eebf243e868dbfa14cb8e1e89b815a89a0aa6f9781444d9f727826fafa3b98edf741a8a6570fd7fda580eda4e07b13ccf7f50b552d94419295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ef95de05139bc0a3867fbd7485ec9f6

SHA1
98d9b592759f5fcf513a69168b694aaae19615f3

SHA256
ca836778620fdab8dae47ddaafd079ab85dd83e8d2e4fe2a054afa7e7930d100

SHA512
6e5bc8856702581dbae770eead3c2e4e4138e246af997716d8487fcd4f6581b7f07cc99b80bd30341b7509e4a0d9de426d96b55176bf5ffcea73a35a1e719f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f092198303788f31f51d234cb4276250

SHA1
675632d3d77774a28b92d3e199f044b25a962b74

SHA256
4969f8aace26e9adbf40d818ba0072fd4d27909f9ee451a6f0f83daac46099c2

SHA512
cda40aa5173bd4a5e7cf646cc0e3ecfde158eb8edeec61c2b2d845335262e699338a3fbd31d88dd18adc5b5a269bec6546723b19bda1ef5a6557f4a77ace2d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
46d80978eadf19b503882f748308099e

SHA1
10b02a098077d462be2dedef2e3d80a57711561c

SHA256
2875c70904fb6f7de96fff4271bc3f58a8a340427d91898f09b82de9660f28e4

SHA512
6af49afa7f63db8009b95ca4f67ff067714c1ac582b6fc6836f9d4700da2c54a8ca3275149e370ba8775e812059283ebc54693b25c320d5ef58b00cff55edbe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8709f2492513e413b67f81d80c4ef2e

SHA1
c0a8d9b368e2e55a0d5b3470bc23b2f5c9210db2

SHA256
c162b7a92e572998e8da6a7a53ff7ed9c525531d395676ff1b7f043efd9a6e80

SHA512
c3ea7bfb4678d09ecd4b099262d2ebeb26bb8dd537273f3c863a32acd316c324977ed1a400ddb7e8a331afae5fe96b92e5d9495d9efe8bfa28c849ba753fa865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5bee094554e9062f823b539993b76cd

SHA1
df1a927bce930860508396eed2f7f2b9dbfc4f6a

SHA256
835d450bcbc00d6837201283ac38777fb718dbdb21a64c406aaf2807d4822b24

SHA512
d6b22e75658d090ad96f7d9c449b19702da8b2fb70df76702546aaea37983f5e8e0d1f0fb930e054f8391b86fa0df4679196e6ee52aae7fb5901b8d2cc0b5bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c06e5dbe26cad75eff178e8de7e1dd7

SHA1
3e95013add14213af62bc88cd137c4af99a44c46

SHA256
07c81c9d9aecc5cb2fc56f7f9c52e2e7a905927c4435a1efd1339c8f1689e453

SHA512
2b42f4f63f2dad0a1192a2d68591d7f085c3074d162b5ac46e9ffe51f4417ff26f59c677c9bffcae4512f26a6293e9d61cd2cbecb9f01354305ba20ea2bdb2a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2f53226f7152802af25e814c5a7454d

SHA1
d6832f2a4f1e4a437ca72bf1a3988710b68c29f4

SHA256
ca61f3154ac540fd7e74be8d02a7e87ee1fa939a888f10313603ae64d958b461

SHA512
fc19f2eb3c11c6356907a35364f167ccff4114d7b5141807daaa9e24266f51d343f56b9aa06ba48a2f8e0d4c5520baff87edd54184663ee42530eec2d7ef2e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c33215baa5955c2bb8f83e1679ce55b

SHA1
307986652c8342e1f9cc3ac422bd2fdd03d2d84b

SHA256
9ef2471e253bc9223f5ad75025884aeacc9efb65b7ab05b29a46898cb61378c2

SHA512
2bf6c1af58dc5a51bb4345cd8d29e1e3aa2585b834d62720938747a18bbf7f3c66967706443a5f3915cd52bdd3059ca6701a9ae3b4088aaa1ef5904655e4dad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd8e63e521cfee70168a142fa669fdd0

SHA1
07a82a45851961e5eba8ce01306112ba4da4ff51

SHA256
6dbb79bf7402fc9c8afd6439fd7653602ae8794ecff5808ae9aade0d67b15eb0

SHA512
1cbf626f5e835545ab3284b5ea8cfe8d3c3540a88e03b0033ed800b8d4b37c3e3318fa5393ff562496a5dfd53ee01700bc8ef1f25a6a53dfe0a6d78a67f57395

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ca489a6-aee4-4311-99f3-5d6f78f1d84f.zip

Filesize
128B

MD5
3014b94c0e94f920a9d62306bdf47e50

SHA1
177793c43c08af0ff91631cf0a2f98f60ff20079

SHA256
a0f8c1b976f38ba00a208940391bb53ee96a05ab8adf2e917ccb5718077e32ab

SHA512
763a88deebf9899b00b8109a0cc844195470c18265a577ad8ac4665336867d8454279e55fedcb7244bdce24ebb5d00f67fa60b407472669d6a80454ce62edb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51aktmzr.ash.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/404-13-0x0000021930990000-0x00000219309B4000-memory.dmp

Filesize
144KB

Download
memory/404-12-0x0000021930990000-0x00000219309BA000-memory.dmp

Filesize
168KB

Download
memory/404-9-0x00000219308C0000-0x00000219308E2000-memory.dmp

Filesize
136KB

Download