221944cf8cf33d706f1418545c2cc5f375743e0cb2db913ceda97b7eef31f776

Resubmissions

04-09-2024 18:54

240904-xkj9kavdjq 9

04-09-2024 18:42

240904-xcj9lawdkc 9

Analysis

max time kernel
433s
max time network
1156s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-09-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MixerLapx.exe
Size

177.5MB
MD5

52ca1f3fae0ed5d90a9700949e63639b
SHA1

1e4d11282529e87a0652249bbcc4ba4953e82ba8
SHA256

a1e27c69e0d104f6f89ef98d5baa6718fc3de16462c0a7063552383b845eefe6
SHA512

64ffdecf041ad2c08351aa8986a73cd87c64f1a5c6ac394c48075fe4b9cc6f3fa865d5daf79a4081146d879d235d6bec2eb83e6662461c1a7a1a6d4cd3b5d945
SSDEEP

1572864:t6SlyW//ASwc0eKrtjR3QelIHvSfIc7ro6f1cVYc+lj3PVXaC2DPLTCncMHzNHt9:o4KZxQrFQl

Score

9^/10

credential_access discovery execution spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 47 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2988	powershell.exe
756	powershell.exe
1696	powershell.exe
2464	powershell.exe
3744	powershell.exe
4140	powershell.exe
3464	powershell.exe
3292	powershell.exe
2948	powershell.exe
2156	powershell.exe
4892	powershell.exe
1552	powershell.exe
2044	powershell.exe
2676	powershell.exe
3980	powershell.exe
1028	powershell.exe
1668	powershell.exe
4296	powershell.exe
3588	powershell.exe
4464	powershell.exe
968	powershell.exe
4496	powershell.exe
1032	powershell.exe
4768	powershell.exe
1832	powershell.exe
672	powershell.exe
2580	powershell.exe
4464	powershell.exe
3340	powershell.exe
3268	powershell.exe
656	powershell.exe
2240	powershell.exe
2568	powershell.exe
984	powershell.exe
1540	powershell.exe
4088	powershell.exe
1880	powershell.exe
1028	powershell.exe
4784	powershell.exe
2860	powershell.exe
3152	powershell.exe
1960	powershell.exe
2252	powershell.exe
4588	powershell.exe
2520	powershell.exe
1988	powershell.exe
412	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	powershell.exe
2240	powershell.exe
3292	powershell.exe
3292	powershell.exe
4464	powershell.exe
4464	powershell.exe
2948	powershell.exe
2948	powershell.exe
2464	powershell.exe
2464	powershell.exe
3744	powershell.exe
3744	powershell.exe
4784	powershell.exe
4784	powershell.exe
3340	powershell.exe
3340	powershell.exe
4588	powershell.exe
4588	powershell.exe
2860	powershell.exe
2860	powershell.exe
1028	powershell.exe
1028	powershell.exe
1668	powershell.exe
1668	powershell.exe
4296	powershell.exe
4296	powershell.exe
2156	powershell.exe
2156	powershell.exe
2520	powershell.exe
2520	powershell.exe
3588	powershell.exe
3588	powershell.exe
4140	powershell.exe
4140	powershell.exe
2568	powershell.exe
2568	powershell.exe
3152	powershell.exe
3152	powershell.exe
3464	powershell.exe
3464	powershell.exe
1960	powershell.exe
1960	powershell.exe
4088	powershell.exe
4088	powershell.exe
1552	powershell.exe
1552	powershell.exe
984	powershell.exe
984	powershell.exe
756	powershell.exe
756	powershell.exe
1988	powershell.exe
1988	powershell.exe
3268	powershell.exe
3268	powershell.exe
1880	powershell.exe
1880	powershell.exe
2044	powershell.exe
2044	powershell.exe
412	powershell.exe
412	powershell.exe
2676	powershell.exe
2676	powershell.exe
4768	powershell.exe
4768	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeIncreaseQuotaPrivilege	2240	powershell.exe
Token: SeSecurityPrivilege	2240	powershell.exe
Token: SeTakeOwnershipPrivilege	2240	powershell.exe
Token: SeLoadDriverPrivilege	2240	powershell.exe
Token: SeSystemProfilePrivilege	2240	powershell.exe
Token: SeSystemtimePrivilege	2240	powershell.exe
Token: SeProfSingleProcessPrivilege	2240	powershell.exe
Token: SeIncBasePriorityPrivilege	2240	powershell.exe
Token: SeCreatePagefilePrivilege	2240	powershell.exe
Token: SeBackupPrivilege	2240	powershell.exe
Token: SeRestorePrivilege	2240	powershell.exe
Token: SeShutdownPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeSystemEnvironmentPrivilege	2240	powershell.exe
Token: SeRemoteShutdownPrivilege	2240	powershell.exe
Token: SeUndockPrivilege	2240	powershell.exe
Token: SeManageVolumePrivilege	2240	powershell.exe
Token: 33	2240	powershell.exe
Token: 34	2240	powershell.exe
Token: 35	2240	powershell.exe
Token: 36	2240	powershell.exe
Token: SeShutdownPrivilege	1840	MixerLapx.exe
Token: SeCreatePagefilePrivilege	1840	MixerLapx.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeIncreaseQuotaPrivilege	3292	powershell.exe
Token: SeSecurityPrivilege	3292	powershell.exe
Token: SeTakeOwnershipPrivilege	3292	powershell.exe
Token: SeLoadDriverPrivilege	3292	powershell.exe
Token: SeSystemProfilePrivilege	3292	powershell.exe
Token: SeSystemtimePrivilege	3292	powershell.exe
Token: SeProfSingleProcessPrivilege	3292	powershell.exe
Token: SeIncBasePriorityPrivilege	3292	powershell.exe
Token: SeCreatePagefilePrivilege	3292	powershell.exe
Token: SeBackupPrivilege	3292	powershell.exe
Token: SeRestorePrivilege	3292	powershell.exe
Token: SeShutdownPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeSystemEnvironmentPrivilege	3292	powershell.exe
Token: SeRemoteShutdownPrivilege	3292	powershell.exe
Token: SeUndockPrivilege	3292	powershell.exe
Token: SeManageVolumePrivilege	3292	powershell.exe
Token: 33	3292	powershell.exe
Token: 34	3292	powershell.exe
Token: 35	3292	powershell.exe
Token: 36	3292	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeIncreaseQuotaPrivilege	4464	powershell.exe
Token: SeSecurityPrivilege	4464	powershell.exe
Token: SeTakeOwnershipPrivilege	4464	powershell.exe
Token: SeLoadDriverPrivilege	4464	powershell.exe
Token: SeSystemProfilePrivilege	4464	powershell.exe
Token: SeSystemtimePrivilege	4464	powershell.exe
Token: SeProfSingleProcessPrivilege	4464	powershell.exe
Token: SeIncBasePriorityPrivilege	4464	powershell.exe
Token: SeCreatePagefilePrivilege	4464	powershell.exe
Token: SeBackupPrivilege	4464	powershell.exe
Token: SeRestorePrivilege	4464	powershell.exe
Token: SeShutdownPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeSystemEnvironmentPrivilege	4464	powershell.exe
Token: SeRemoteShutdownPrivilege	4464	powershell.exe
Token: SeUndockPrivilege	4464	powershell.exe
Token: SeManageVolumePrivilege	4464	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 3260	1840	MixerLapx.exe	80
PID 1840 wrote to memory of 2240	1840	MixerLapx.exe	81
PID 1840 wrote to memory of 2240	1840	MixerLapx.exe	81
PID 1840 wrote to memory of 2280	1840	MixerLapx.exe	83
PID 1840 wrote to memory of 2280	1840	MixerLapx.exe	83
PID 1840 wrote to memory of 3292	1840	MixerLapx.exe	85
PID 1840 wrote to memory of 3292	1840	MixerLapx.exe	85
PID 1840 wrote to memory of 4464	1840	MixerLapx.exe	87
PID 1840 wrote to memory of 4464	1840	MixerLapx.exe	87
PID 1840 wrote to memory of 2948	1840	MixerLapx.exe	89
PID 1840 wrote to memory of 2948	1840	MixerLapx.exe	89
PID 1840 wrote to memory of 2464	1840	MixerLapx.exe	91
PID 1840 wrote to memory of 2464	1840	MixerLapx.exe	91
PID 1840 wrote to memory of 3744	1840	MixerLapx.exe	93
PID 1840 wrote to memory of 3744	1840	MixerLapx.exe	93
PID 1840 wrote to memory of 4784	1840	MixerLapx.exe	95
PID 1840 wrote to memory of 4784	1840	MixerLapx.exe	95
PID 1840 wrote to memory of 3340	1840	MixerLapx.exe	97
PID 1840 wrote to memory of 3340	1840	MixerLapx.exe	97
PID 1840 wrote to memory of 4588	1840	MixerLapx.exe	99
PID 1840 wrote to memory of 4588	1840	MixerLapx.exe	99
PID 1840 wrote to memory of 2860	1840	MixerLapx.exe	101
PID 1840 wrote to memory of 2860	1840	MixerLapx.exe	101
PID 1840 wrote to memory of 1028	1840	MixerLapx.exe	103
PID 1840 wrote to memory of 1028	1840	MixerLapx.exe	103
PID 1840 wrote to memory of 1668	1840	MixerLapx.exe	105
PID 1840 wrote to memory of 1668	1840	MixerLapx.exe	105
PID 1840 wrote to memory of 4296	1840	MixerLapx.exe	107
PID 1840 wrote to memory of 4296	1840	MixerLapx.exe	107
PID 1840 wrote to memory of 2156	1840	MixerLapx.exe	109
PID 1840 wrote to memory of 2156	1840	MixerLapx.exe	109
PID 1840 wrote to memory of 2520	1840	MixerLapx.exe	111
PID 1840 wrote to memory of 2520	1840	MixerLapx.exe	111
PID 1840 wrote to memory of 3588	1840	MixerLapx.exe	113
PID 1840 wrote to memory of 3588	1840	MixerLapx.exe	113

C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe
"C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe
  "C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\MixerLapx" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1732,i,845289100635326715,15497284857734595607,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1724 /prefetch:2
  2⤵
  PID:3260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe
  "C:\Users\Admin\AppData\Local\Temp\MixerLapx.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\MixerLapx" --field-trial-handle=1996,i,845289100635326715,15497284857734595607,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:11
  2⤵
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:4140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
05850c6c0442ea6966fe2a888f219f4b

SHA1
e6b1c8eb783b307672a6f06b785a7e9b78633b46

SHA256
f51b54c5f5074076216b2d0a3e66c13e80d8f1da311614ec15c9170dff11ad5a

SHA512
9db20e00e103700f67256568e38f9b37f29af3c30f3454a38b3e033c6c2f6bd796c5b5a8c5faa98bb45d7521d76c2bf323d503b8a0196cacbd701167d441c6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
46d80978eadf19b503882f748308099e

SHA1
10b02a098077d462be2dedef2e3d80a57711561c

SHA256
2875c70904fb6f7de96fff4271bc3f58a8a340427d91898f09b82de9660f28e4

SHA512
6af49afa7f63db8009b95ca4f67ff067714c1ac582b6fc6836f9d4700da2c54a8ca3275149e370ba8775e812059283ebc54693b25c320d5ef58b00cff55edbe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18302296a716b889ed3c8a4895c16fec

SHA1
50f0f1f6b4ef3937ea01e0fdfb2c05e859ebc481

SHA256
261d52371a53911470cb09041e30754fd4df69acb578d882681d04732bbbbbd2

SHA512
9f6627bd0776116502264587cfd84691cb45e44e5b3e2cc9d2e06eb6977ec76ed6cc88cdd591ed177115581a59499d8751c881a82b1240ceff25c3edc9c2766c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
91a98ae555566d81d6a4ae289121c56a

SHA1
636745623694f14ab9758edfdc735b1af9c29dcc

SHA256
685239b80bbb45f0d527af3c579b40d3b9b7640f0504e8a8a2007aa55e58e97e

SHA512
f13944ccbaea0af23e9cfd909252c5cbb095fff43c4b13b58ac9129b71e41f2e7ea8e7bb9ef57613f4214bbaf05d35d9fd7cfa9b823baa8f7e3945072f27da79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43a0d155f66a588573c55381c855a5fb

SHA1
c16cd0b03b19d435158a5f9c1e463b256c15071d

SHA256
0796a1d396f7d62eb715fcde2afc081325d7aedd356f6d86c9d2004d9ecc2179

SHA512
bd0be32eb74093f30c5e0082fbb8b90348d3a8e883cf93d6e0092e15e349cd516af30d6060f130cc22ebe3e0538680046a698916a3067900d4f7530ba4702f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b1b8903e7415e24aa235bc0e637bb332

SHA1
f76a1cd6a373f399e234f3f2639aaf2b95f0383b

SHA256
42e674aa7733c9d9be4d8e62b3bc373866150cb62996f5d929d7101d61b8404b

SHA512
2aeabbbaa565b9762f52e8fcfcd7c5034a4d02e6cf202529689cea36f3886986a76aa51c3bd4928cc12528dfbb81c8aa95358dbeab29e45fec4b491eb1327bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bbe55c4838e264e67f2d77bcca5da461

SHA1
21ac4387a354ac3ad24f970633d795e559614d95

SHA256
bb6d013190327bcccf4c8d8dd421757695a3cfd656e48d7048f041fee2fb51f8

SHA512
9848837a53aeb8c30d7d31c4f4abe9844e71a655909ed0e3e5e1d381754c8dedf61c4c83b989c21dabc50239cb04cbd23958e0eaf8c6d52b0e8aaa342ce335c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d7eea1629b70cc7ebf9bd20059e83581

SHA1
c828586f7d588b4cacf0aff5c33561efad9e297b

SHA256
5d7470a644b39c3e8d246d448c7ba9424cdac7b9767f5e260b3133b6f93f1244

SHA512
6df7c11bb180519842e276641bcce9dbf46ecb3ac7b436045531fcaa93ff15c2a3b648dc5b4a2f8dcd4d0d8c641bac5d8b598d7ac7de83b5b1c722dfa79c2694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c33215baa5955c2bb8f83e1679ce55b

SHA1
307986652c8342e1f9cc3ac422bd2fdd03d2d84b

SHA256
9ef2471e253bc9223f5ad75025884aeacc9efb65b7ab05b29a46898cb61378c2

SHA512
2bf6c1af58dc5a51bb4345cd8d29e1e3aa2585b834d62720938747a18bbf7f3c66967706443a5f3915cd52bdd3059ca6701a9ae3b4088aaa1ef5904655e4dad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a08bf462767aac1490b1df175cca8b63

SHA1
7fe94497e1addcfab78c3f0b4c87ea101edf3ca6

SHA256
1fd166ece860c3219b62a527841a69874c0f17c459f396fde3e847c971776d9f

SHA512
5fbeede3bde895f5e333415eb0a09c05b7fffe08740a79eb5342028b873d845bb49ef427b1f963e6c6a7ee62ec73e90455904992729423644f8498b48bc7715b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3156193c1bd3753200faeb10c0851a16

SHA1
a6783a3e01ca1dd9ffe26af4d29f8272ff2aad01

SHA256
39999a55ea6ac8dce68d5e8486af32be7bb2c60632d9f721ec4938a435457699

SHA512
bdbee0b3e412f6a0658ad87b68b7cf7c6e3094164d22ae8fba4864829015aa74d58dfa50f9276456505585b3434995c498dfe6d8ec64f6292aa50063380ed191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cde83f7e1905c8ff671b75ca69ff9ac2

SHA1
06c40e4b6c2a3e87a297745ef2094e98fba4039a

SHA256
5bb5053f46cb147501b0008d6a92eeaa122067b906e34d4d80589fdea44e8dfc

SHA512
79e524e6ec160b9e14aa68c3b004d058ff73b9148280a5ce241a40a8e54b2f5c0b2a452a4dec168b6c120096e14b6280997f33490adafa90fb525c1dd175054d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
024d803ed58757dfcbe1df455036cdcb

SHA1
16757272bf16eb5fd5fecdbebf5c6c5c2702ca2a

SHA256
33752e48fac608ad25ecfbc38af04d618efe46dba7145be1638450fb658679b4

SHA512
dedc954b15b13446b62d3b4b037ee7b7c84c1e06fa769a544393fbb4489bbca94d20a4802e9bdb03af47787032efe2ca01481ac25b34da97439ce8dad5f67714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a40af3faafdfd24bf2222a8e012bc0e9

SHA1
1be750664b670204d1c50ffa644e599413f95067

SHA256
2ebfa8a75456b6907849edefb65bd49580c5f09e19a6901e7da75b550d143573

SHA512
bdf7a39c7730684c80d31974802938913d6f3a56f8d6b076583ea14a8d82dd9ffa7ef090b1f2621970cbf54d3651c63110c6cee8a37bbfd7f1b00b56a1e03313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff1c2d16ce65fcf5eebf5b275f60bab3

SHA1
110027a0db810e3f65e7c12629ba3b525b83748a

SHA256
f679ad30ee2b140b1097f5db112d55bf91f7795c32d1c92b9d39755cb722137c

SHA512
d21292bbe7b8fed4c6d526ccb8a3f5d97d87890c6d65260cb88f16e065eba24f14db62be9b8df3e19b6a17b11af1f58f8c8d406280b5e4d101d567a7f55120f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ef95de05139bc0a3867fbd7485ec9f6

SHA1
98d9b592759f5fcf513a69168b694aaae19615f3

SHA256
ca836778620fdab8dae47ddaafd079ab85dd83e8d2e4fe2a054afa7e7930d100

SHA512
6e5bc8856702581dbae770eead3c2e4e4138e246af997716d8487fcd4f6581b7f07cc99b80bd30341b7509e4a0d9de426d96b55176bf5ffcea73a35a1e719f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
564ca41cec1fc4fbca8ecba8c97e3a94

SHA1
a29902990099202ef24c8719dd4af0d6b8b0c19b

SHA256
3e0a00adc179574f1598b801aea7e27e23d0dc91c5e7e35d813d44d0291b66b2

SHA512
7fa21d6465702814cd2ed3d6306aeb8c1acab3fb126919cbede1ff436d7eb4a238c7a84cf985b1e08938e9493d3b0c95075419e8ce21356540c2fa9d5f0aae1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
65a759389efaf16d1afee6c7a820696d

SHA1
1bb797ee84b3ec1f82667df73d8cdbec09fa3177

SHA256
1b119fff2bdc1b444d3a8afbae8967089eef04ab336393ff37179addcb13e96c

SHA512
b1e7d13f04399de0822c42d12c856276feb1108f91bf4fe9ecd30c9c8bcfa8fcb3f2b2666e9d1081b96a2b9d9ee7ba40f4e680fcd2a10d1ffe67a1aed8701056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5bee094554e9062f823b539993b76cd

SHA1
df1a927bce930860508396eed2f7f2b9dbfc4f6a

SHA256
835d450bcbc00d6837201283ac38777fb718dbdb21a64c406aaf2807d4822b24

SHA512
d6b22e75658d090ad96f7d9c449b19702da8b2fb70df76702546aaea37983f5e8e0d1f0fb930e054f8391b86fa0df4679196e6ee52aae7fb5901b8d2cc0b5bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8456f1b8d8b1ece80a77539468b177f3

SHA1
1682f926d4cfdbaec7daa25fb70a9c658086a193

SHA256
9ebb407a8acf95acb1a1521e63040a32c9a503a8c33cf87af1e434a868f48567

SHA512
b5653fc1aeaf301e0db058ddba2aef0e75e64594bbb0b21aff5aa13fe4bb1aa517afa1ddbc6f016098b01f2a72721770c8d99fcd0363bff76e747d0e17c3c93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
41b5e4af3eaf8486779ff4f04490ac59

SHA1
9a0d773e20de805cbe0b02d5e070757d9327f603

SHA256
7978b3c8bb7bc8c10e30f71e0e9d6fad5bad448d38fd7a8891fc4da070b733b9

SHA512
61db35a50df04cae0a15ad895ca0c102048739c6275f074c17eb40a8b1aa0a37b4801c8edcac7aab5e1e8558eb7296dd47309b10b8ce0b5957854aa166539971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2aa50c6fc2648fdb314c375829b1b3d4

SHA1
3105aa6bdd0b24c82f9ea24ad1df2ca809e32a59

SHA256
c7a8e713a240d9a2f61da2b4a135d5de23067b68a6a43e2bdf0bcfd0ff7a6f15

SHA512
e046a4d196c493ac7210a025ecdd5ff7816c5c63e2ee7393148a292e48caa95bfe683095e9f4d67b71cb1cabf5cff4738ed750214dca9a618e3601625db860da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94c5017ade3aac76cce12215d807928a

SHA1
ad7e6c16482a774cb88ef86e71c062377bb0b9a6

SHA256
97ea8ce677a675000c586130b7b4e9097436490b6618224bcdee8ce00c4bb0f2

SHA512
d516a87041eb723ea424a4b08abf5cf09eb8928650b2465fc596fed82912accc05764f46b0b3cc36da01890fb6620619d7ccc45d0a5631dbc332af23cd4e40a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f092198303788f31f51d234cb4276250

SHA1
675632d3d77774a28b92d3e199f044b25a962b74

SHA256
4969f8aace26e9adbf40d818ba0072fd4d27909f9ee451a6f0f83daac46099c2

SHA512
cda40aa5173bd4a5e7cf646cc0e3ecfde158eb8edeec61c2b2d845335262e699338a3fbd31d88dd18adc5b5a269bec6546723b19bda1ef5a6557f4a77ace2d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ed04360d1f6a57041e91fdf9dba7f58

SHA1
a77eb7825f05066d59a9b94177765f1f0c2f1c1f

SHA256
5ea23f6b8031df33e0a41ba4819c5dc37c8476bcbab468523daa8c5a9d9494cb

SHA512
ce2f3679c419b02f84b77ac04f4f1170ff25f2e46302e81e14023f982142659b70d1d0db7c6008a12b65d2c2b3ceb0f6ec0fbb014f015d44e0067a21681a8acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8297beabfe00f6d57ca17ce4cc489ac3

SHA1
470118d600b4cccee259df7a86f97ec5b720f7b5

SHA256
913b4c69cbc838b6ba1c99a3c6f19c565ff78cb2ac4cb18baeb04aea364bb73e

SHA512
0c382e4be2041194dd6e1c8617f0475ed963cbc3346999c677b24c485d77f0f7212be69aad41ba20279b89a9144d8a260cc8cc9822144fa5db0d3d375e07dbe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
497617ab709717a67b35a48135044dbf

SHA1
8591be0845dbb3bd51cc7eb641772e55e1c93289

SHA256
9c6454994c566c56c7b7f5c07c137ff2cc7f1f7a2735d9f4a1911de6df7ec42b

SHA512
06d67b55a2db2684f52743a4a1997ce01882e173372f72bec635456a1762e7e64e6dffcfca04d4c13021706f90ce86b8c3c7601a9397ecdad8c23eb831822a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbd10c66a0b9614a6831e9bb184e7dbc

SHA1
6799903e8531ef431b841ed143ac817c67e40de1

SHA256
63a20b5ffbf77d6c244ddffd6c1fa536f22affdea2a96b6f11269742c5d34d23

SHA512
3f2e2d423cc1c6af92a7d0f92eb7fc442f44cf5081331b78188e25967f12b3a71928243101514e70aaa1c03cd69ec77cdaebc0613c00934d77c7bdc9935ae46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb731ea244b86f832bf2c4d53d057714

SHA1
43d79305326230cab068cb1e1ca8c023d26031ef

SHA256
d4756ea84adb30607409ed640b9a3040ed03888a4048146eda6bcf5fee6d32c4

SHA512
6006b965ef273e12cafc0c947d6dae9dda4f7888ae206f8cf286c9ba81e055f4b15a838415af1bfa336e8ed2fd20b950ab38d11e12e4151733deaeec7f718390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8c5d66e32b1b6492c4bc2b457719c1e

SHA1
3fb708e6e9a8f21973b07b32888f0d5378645e63

SHA256
555a853cf629a81def14aca7ea72e3604b113bff010956cb3771308081a49d72

SHA512
a27e9860050dc334b43beb9a91ef767010a93b63b4422de0a811b73ba17c1288c57c5c59203a7ae4242a2c1ee7e11f3baf94a9386839466312ebc702c27c02f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e536b3c0ebbe1d2bcccd82c98c0ff77d

SHA1
7bc3c1362335d99271d27313baaf951665fd95e1

SHA256
c100cc94cc031f3482d6668ec9b5bce6b150ee70b057c9f3f7aabda97a5eb509

SHA512
b4a613bbd6b896c25346e76fadc71904ad172be164b127ee6b6f993ba4addcbdda2e13ead4f60b8050d7faf9ea945283667bd9f6b2a4f013d6af4530048b82e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
717fb6890a47069f50eef840014fcb7c

SHA1
c1138a8c2a9369c674f5dcfc3c1322abad341d49

SHA256
b730d4dfc10e30af300d83f905f2bad67b80cff95e2e2a4cd80d5b989bd3d370

SHA512
c75631c7fe0d369953c35c0fdd1c2a7ed9f75a27f7da23c1a3f2b213d9a46c5f6d8ef62efee40f00c2c07ebf8fc7e2cf4bc913177ff0512422e57ad0302cd10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a515662f521977e40b5a5f306a5345b

SHA1
98969bb20c98edef9f853a96534ef38f8f1a74c7

SHA256
1aef5758cecf185fc9b50dcb925ae780c4bc46282cf60e550d41ebfa2ed12937

SHA512
9903f4d8db35c4f1ef027391e79cd1084dc20762f6c85f1de1b9f6566e99fe35625a1199d09eca3a54a1c631f09010cbb70a03dfaf2357d21ccd4cfcfeec575c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f7cb24634950247e2f516dbb37294cd

SHA1
562083cb656f7747d6d593683bad0713e7fb2ea6

SHA256
7c3226286b6911923afa1aec8621957fca042852953c952ce61426780e226887

SHA512
8ee1f14e1fb2b51124540a6d3e05a7005ea7fa0d381ea5382d179f1fb2b6c9190e670d3d6f27262fed066b3224747a91b67fc866a3b4f77e5341ffdd411f5a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b2b1a9258d122ae9aeed9354ec1670b

SHA1
cd57dd754f2c32826f68e0c1df25ad12fb883c83

SHA256
1bd4163ae0df384366ce3e34c9b309823e687923a7017458d5fac8017d84d67f

SHA512
e3790b303a0d5316ec1c99e07593bfd1dae53e9562ff73ad65d9ee56cbe6309efffea20af331e2ce4da1470a65d8923e3f8fc59d84daf455b7a0cf9ee5e86de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc19abad1e94f334b9b9391000556f78

SHA1
7464203355121964f3377ee35960b9b3f689f9f5

SHA256
65b8ba8659479664e53303dd78f518c9f2c25633e31a695b2b176b8399df0b64

SHA512
4b5615e072fee541c56c845dea8b193b0cca4bcca29fabfc854ebd1938da876e9c6432f48be637f91387c477976ad35ad401098c2fe1a77a7f63b1aebc3f5be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90cd6dfb5e514893d6453c93301962c4

SHA1
19db1da04c00c27d6e76640ee6fb6eae7c7385ce

SHA256
92bdd4207bc00375f8cb540a84ce8ea9e98cdb09ced66cdb2c960683822079be

SHA512
eaa12d356a1117f48ccee065a5423b914139f603bf4a2f7349c3e49c6bade9c26fd43cc65c8227fbd6668f8e8f2b5fe85a8e7cfb962b7d3ed025a719a1f2977f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba3521778b7f5c6f9b21f42d33e13c70

SHA1
34bc003ad0247d3e1c1ce87f77f11d8f6716e3c6

SHA256
4518a788cb18d37672dcad29612aaea0cc4015898b66ddd48e1ba4c428faf3ec

SHA512
54cdb6b4bdf0e29e9971a8f36372c9007226ac12e6ad2331b054a5d025873d0123bdfe6511ca29bbe3ef06d74b6c6dbee911ec440e9d32f4ee04b576859f72e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\630b0495-2cde-464e-9273-92458708e644.zip

Filesize
1.7MB

MD5
5dd23f4769c93435fb3a91bdbe6b7163

SHA1
5823f3e8740717995f686edaac3edde5dc583ed6

SHA256
8a2701b3f7a311ad45776761f2341ece6f1207d35ede07deab1a74bb34390862

SHA512
08d89f204f8cc85e035761845f926e1cc2fbfc25c3d59f1192f93033eae8f7a93c4813a1bb98f2f54ad1ebd8b2977bc45e6478b4f8dbbe4fad1840e1da4907d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\630b0495-2cde-464e-9273-92458708e644\ImportantFiles\ConvertFromDisconnect.doc

Filesize
1.7MB

MD5
9807f5ff8475d1d56ba09a45362008d1

SHA1
de2b3fd11e34859154f209401bdb72318e8bfab1

SHA256
e7c4421fab66491a42138d74e2aeb9107bdbcec4800a1ff647eabcc3b5e3bb34

SHA512
0f4feccc4a7b548e15a089d814b9a0ceefdfdefd5b5d47b00fe0f49ac5bf1ddc66118bb6f8ecec7e3145d5829e467ea518519f47a0768e84397bb9d86117b2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yg25tcuk.j30.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2240-13-0x0000021BF5FB0000-0x0000021BF5FD4000-memory.dmp

Filesize
144KB

Download
memory/2240-11-0x0000021BF5BB0000-0x0000021BF5BD2000-memory.dmp

Filesize
136KB

Download
memory/2240-12-0x0000021BF5FB0000-0x0000021BF5FDA000-memory.dmp

Filesize
168KB

Download