Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 11:28

General

  • Target

    Ultimate Tweaks.exe

  • Size

    168.2MB

  • MD5

    02c4b9609f04037960d947113bc2a017

  • SHA1

    b593fc590fafb5e11ccceb199ff405874183c4e8

  • SHA256

    3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214

  • SHA512

    d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a

  • SSDEEP

    1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

    Using powershell.exe command.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
    "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
      "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1676 --field-trial-handle=1696,i,8893980901653828271,4311733644607027901,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
      2⤵
        PID:4732
      • C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
        "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2000 --field-trial-handle=1696,i,8893980901653828271,4311733644607027901,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
        2⤵
          PID:2476
        • C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
          "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2384 --field-trial-handle=1696,i,8893980901653828271,4311733644607027901,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
          2⤵
          • Checks computer location settings
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "chcp"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3512
            • C:\Windows\system32\chcp.com
              chcp
              4⤵
                PID:740
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2340
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:876
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1340
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3424
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4276
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2700
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3304
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2124
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2356
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1476
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1964
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2168
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3300
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4476
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2584
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:5016
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4796
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2896
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2596
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5096
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2888
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2340
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:804
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4080
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4556
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3212
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1976
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1372
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3456
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2240
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1488
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3560
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4656
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4320
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1244
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2628
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1316
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:324
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3560
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2208
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3692
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1472
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2304
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1548
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4736
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1156
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:404
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1548
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3680
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3460
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1316
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4092
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2896
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3940
          • C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
            "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3200 --field-trial-handle=1696,i,8893980901653828271,4311733644607027901,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
            2⤵
              PID:2828

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            5c3cc3c6ae2c1e0b92b502859ce79d0c

            SHA1

            bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

            SHA256

            5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

            SHA512

            269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            25957162ade20bf81ec7404fc4f0cd80

            SHA1

            eb4d9b0d4080f9dcfc5be72502fcc20ad167734c

            SHA256

            217d0089b9d644cf4b69a6049e17abaaa4a36dedf13dd8392b248fec052597aa

            SHA512

            6ff96b83f46a4321f64ab00e4be95277d28058c8e0aa3dbd56ad022d4f696d4fee5cb196ba389f2e39534d94daec460a123de49a419a817e1c70940b07de9a79

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            7ff947c165616b9e00638349c25cf784

            SHA1

            06c574584dc78ec46e53ff7c68de3b396990c940

            SHA256

            af2ae1aadc832fd20c1e8471ef40edf7049b17ce3ccc829b0d49a6ec7eb0dda7

            SHA512

            60cc9aee57004ad9ca482d5e29f683e61d35ad8d76796c746f4279fdb7b4c975205701a27d62443238879ebc1da2a0df9a30b12416692797820d634f5a6f7290

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            55f6dde0763b274aaecf83059d51f6b6

            SHA1

            31ede0d21a5ce938f33f39061573384f16bdca6a

            SHA256

            2f543e1d464fb15c2b39799f179f9283c8c5acc4e4834dbd6a934802235432c3

            SHA512

            d370e59d7d6765fb15dd8889d04e6b7b510accb34e2ce78a02b65e71707830c6ffb5d206e644f896a693c9e2016452370161f8d7f8da7501accd3c2396132b54

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            7ffd92973fa9dfd1049e226f25143b12

            SHA1

            74513960ad6202c7f910f113d1658b23bdefa1f9

            SHA256

            f5191c4a14b68b950385737b1f8cf80a82480e70aa32fc37a7137e6466624984

            SHA512

            dd19069f7464b385a8e45fb2fc020d05aa2c5a964a4cc59460bdf4e0c07a35a10ffe12f7dabb72229e9f96615737b9462d8327922d11751b48b408b503d20c6b

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            b2ade046f07285983fed4bccd0fe0015

            SHA1

            3378271bc05ee14c9ff0650c4bf9fbe5d8af8292

            SHA256

            e749820ee8116efa4d36c89bca6514c21bc3d0df85f4147bf6e5a52add59f7cb

            SHA512

            8ae7288f5a583eca97f6505e8c664a3ef7a7eba9547c656abead4511681d9fe9c1c90419d6566503e351e1746f4483bda6a22153a2af3ce6763782786d79e83a

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            4e1187294efb43bd467e3a0a79922054

            SHA1

            f6c832cd410f7f888f4a225f97a1f8682c265b20

            SHA256

            25f59e43a197e976aeb3b58fee26a8af9a65d9bae788725ad932c2fa53714e85

            SHA512

            3c89dde3f1b31b6a15f6e1e18cf02cce058df7585341dfe7e6d7b2f5092973f60538aeca3324ee5e2ddda810765f0490f48a9de4e92d72df5fc67118997f6ff2

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            1f621b4dcbfb664dd9348f5a65296479

            SHA1

            5b8f452cf895b7ccee33b90c77c14afa86bf08ba

            SHA256

            05077823d2efa445891dbfd257ef67d8553608a3d6ca047dc9902222397809f6

            SHA512

            9abe20e1391fc4cff7e809a02df4d71542196f98eea285a24d1a4272666c7f7b312d63fcc4cd46b73a6e0bfac1c6854bfde94a1b8fdfb99b81d75ce892f5b445

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            6fdd701b5a1b033338772663d1c206be

            SHA1

            49aa38a968c08346e1208d45e9bc288b6b0fc7d5

            SHA256

            73aab32b5665eb3d483f7198d936e43085635adb195a2c4b6c938ff8cc516d39

            SHA512

            97bc9a2b33fc4017091660d06124996c2e55d0ff611af81f5e9fb47fef4ee7971d5afe20f475d35b824c47aad70dce663303c27d42e459ec8a51477d4eb45a2d

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            5d9d220d2f25fb76c05b8bc421e1a04f

            SHA1

            43c045fed8a3404bd191438f34f042ea13121308

            SHA256

            8e1291d325f32ba50906dca347b25fea0505b690d726d98dfc72a76bebfa95b3

            SHA512

            1762b9ce042d389f08342465a0d063e75a5e9350c2f850bc4b6c10c78f4790e85163f296289102740c3117ad0d9566a872647fe1488914bad50d79bf701140c2

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            fdd89db5e317a54050f669e738e17abb

            SHA1

            53045a3a7b45e715c5b7aff7a1489db7472df885

            SHA256

            6752512659fdaef56508634e192346e909fba3c7c243a559a5115486468b5d56

            SHA512

            560f383d3a38158f8eedbee2932bc5e8a0d35f8c86705a3729a256d751eadd9088aa1c1fcdfe1d930e323bb6bba1fc6f3cb62f4edf6f5df7c4b92e72e8178b18

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            ac0159b4bdf6079d6d5f723eee466ac9

            SHA1

            ec54e21018690869c93e37d040973d1da3fa1865

            SHA256

            a237de7ff9d57abf8865a547c92f9b97f287606ee175a90a0836a80a2b50135b

            SHA512

            b3de132ad0daa056071e8791b24b5ce55cc0d90f0681b6d71812a28b0613621893c56de3e67ca53ad713fa86297444ad51f72a6383d3a89e8705de0069685cde

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            296B

            MD5

            92769ca4eb672af2f318d54965e98de4

            SHA1

            bbde404f690fa7a9879fd48f717f7839e7a5a0e1

            SHA256

            41db9ef3fe7261da6a0b1232a964f62c81adbf2ff588b20ac38c3afd917eb8a0

            SHA512

            6cf45552bb5bb8bbc60aeff0e5b59571fc0bd9cb85ec50972f9a2ae50f27ee4430a54061d8a4ea5f5bca68a9198156ff6309c27e51dd4b617b60ac3825977f92

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            3078222f51bcb15d813952b4adbdcade

            SHA1

            5bfe3b04747f875ce1ccdc3df1e0c75dfe912164

            SHA256

            b6a296eba401bcc83fdded638d393d746ba18eae2fea66f9009566028a418b44

            SHA512

            f8c312db980a1e6bfd30fa078f8700bb706bb6c933e23ea92412110980da4efd42038d4a5871191d280a1ce28d10858bdeaba85c341b52a1aebf97ca7e803e8c

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            fef8e1d6034bc08030089649c8bf79e9

            SHA1

            67dba6c9b1414c627cb8bccd0d171ad788415404

            SHA256

            8b27fa4afa6c5b2f71d01198be44d7fda97d410ea041cf25d0cfb751a8d5a2fc

            SHA512

            53762fc400b94a22412017ef480c3fe3c33965ff7a89670f49e18c868caf7ff0dc7f410465f0e76f03ca1225504b243613b51cec9170be2e8a97f0e22c3ef2cb

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            104B

            MD5

            fe735d8ca812f1d5571364a031abda35

            SHA1

            6af75a13a0f78e5e08e8fcaaeca631be97470e02

            SHA256

            99246a212aa7e7e15353183e79a5f4676136b8c570607405cb214d71a8aba123

            SHA512

            2bd9153e454cb2af2ef5057b99a42da6944fec3247aa53ca8eb3a3194cc11b4e29e905b406c581ff4408afcbce9b32bff8c25e7114eb62168ea7fb6543284f2b

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            25dcb1b745e17a2194182989a5d37d92

            SHA1

            2aa4dc59231d7ed53d76177d08b52c10f7afde2a

            SHA256

            f6b9b10f9fcf586498566681733bcbeadbc004c887274662df3edfce65f3d84e

            SHA512

            fe1c34f85ad09bc51580d60b3f11fc47ba8f705ba7902caecfa1fb3b3bfb72e65ea34fb9df564a4bb4340fdcb8cf6693115f99bf693997a944f6dc1d5dd1a886

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            00cd9cc9a004930cfa371e8cea4724f4

            SHA1

            e72a6e56eca442626d78cdad7baafc911bf67a69

            SHA256

            f192a490453dc4f5110c82a63cbb550ba09134103668626c456ee4b95033c828

            SHA512

            65fe88c62a6907a8691eee313055cf0709210aa75a653f28abc7793167b93d2355a76b2f8eafc51a9bb18d79c900936f26e5e255c18722ea9af448a431ae8433

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            a2751b38c9c2cafac00e57c033d69eeb

            SHA1

            8b45a599e1f54646ac4c5a46fb1212f7942ff456

            SHA256

            4a6ca73059bfe4bb7ec61e602d61e13175dd7729b28f137cdddee90d9f23a197

            SHA512

            667a2a00d63842b1b21373514028ff874048e7c3c997724f31de04f5ac3eea9957d51f86b4eb3033df1d3757fdc1b61c081a23a7e50ef7e5831c2d0a610584a8

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            a2edaedff514cb9affc5160ac8d8a4f5

            SHA1

            ebef5e3429bc5fb1611441a0e77388373b7fd50d

            SHA256

            dc65c4173217b6aec0d6babe18d723e8831f26f6439cc4446657e83b350eb45d

            SHA512

            5eef0cb65172fc20e3e58d0cc1e5caaa19799d2dd0f7328c15e4f6a5492902e3f82d482115bda46b5d6ccb22a8765feb5724bc740b02cd1020995f58a31b5b02

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            7c64d1cfcafdddf2bfac27e9e9a422d4

            SHA1

            e2abd921e04f22df6a83aa83b31885e7f5b147f7

            SHA256

            2bffd93ecc6bc222d9834476e613a5dbe07647faf0af7cab820d7ed5d7edcf8e

            SHA512

            a0684f949e278a462f38ec32f4bd03be720be5afb7ccc38631612aaf40ad5633cf7895324f32ceaaf9f3a65f481697993e8d8645c42f8238dd015c2113f5a45a

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            63b5ef846ca8da253e4fbcb5e30e9702

            SHA1

            a5e928ced9e18a84961056d30e117045e1c6d4a5

            SHA256

            dd42d46e9388b87238fd73de9779acd02906596a897c150ef037569c79917610

            SHA512

            ecafc34350aba0099da6fcca6188bc8114a10f623f266b452145da04f2cec5189a897052cd0a3b5ab74982dc1635f8aab2de7788471e0b6651f737a4708998c8

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            b042cd67a1791f23d6a858fcf84bd70d

            SHA1

            d015e3f05e80d25a9de03c0cfc542736e5acd15c

            SHA256

            88d48129d736c8898bd425bea119659d8af2d9387d2579b0e3ab7903803faaaf

            SHA512

            f7b89b55f5bbadee2f2b9805d8a4b5a72ab03fbbf0ccb6de68425d9c85ffe5d8e02da47fba418d1e67b96271ea9f24a50189ce016bb817090398dc89e391e75a

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            05ef08057c94334acc16b33fe1892494

            SHA1

            227f4a449b590cbb2a8d22dd0cfb75fc47491f75

            SHA256

            bbd2dfb12f261859510760ef64208cfeeb8f4e2b9dac3ffd4d42012199a9ec7a

            SHA512

            90f0a90c54fad374a5b5934645017cef1a31c08780fd3241d8f284abafe2e4de706d3d44341dc34876b269c9c976342ccaa6b06fe17c80db5ae6b6f4fe5b7672

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            11c59f8535b38e1d4e1ae2a17fcd46cb

            SHA1

            408994d21627a42529fc6c66ce952bfca509ae6c

            SHA256

            2da2b3ee10bc8dd840fade30578ccd28b86baeb90bd02f5ddd40110995536e51

            SHA512

            5118da45efef1f237aff03c6974b5a593df4c9c909ca59613a3873d40257333dd1e763cc93bf26db4fed52a853c37240c08a70578642780c25113897fc681560

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            cbd576f21e98827cf552fb7dba7a25ec

            SHA1

            7463397d75f789283e83ba214f516efcc9855670

            SHA256

            f6c17f60adafc4288cda702d7575b23a7049ca62cd7dccd7f86cd3069a24875b

            SHA512

            767145fd2c84c27e1caf9b7d6ba5c4ce7060c9aefb2ca2caaba5292046d3d637fa91dfd33a2771d70509d0bb1b066b83ae9cb35651921885bb3912fa61c8860a

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            508d7e08104d1f3bdad6430e5d37414e

            SHA1

            53efb7d2261863b07b8c0455c2ec5349eaac2dd6

            SHA256

            b8e45d8d08269a461bc6907890fa82f6d62fa896d399a3f333fd8f040a249818

            SHA512

            814e4d20cc5c87648ccf174c5016110ae36bff59e12a4f6e65fa09ca3f801de76b73f8ddcd1d68c5b97e56b07dd162bd80e58c48bf9b8d7061f6d25df1246272

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            58a3a558e0e8505dd93768003afc7754

            SHA1

            2d7dada5e651217267778c79b2bd2276167592fe

            SHA256

            d58d9e48287914f5ca7702652f51f8ce0f4d4279fc4fafcefaa8a5ac9f6a246e

            SHA512

            0581573a650d047f507e19b56c005d723d96789bdd66b7e1ec0eeae6178b531f94676f79dce5b0e1daea5f69d28bd2af67f257535549b2e144aafd862c408688

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            90fea29d8e23438830c33d5820f19778

            SHA1

            6c2263e6c82ba401c445ff8479ae8b7dce02bffe

            SHA256

            7b061f1926ce777907b14312277f2f53c63bdc3432435cd6a0fc5602b95d4941

            SHA512

            b5d397fd7a0b6fc59708396d7257ede0257c9019d21843af459ffa102b2b3688a8d16630b21e0ad6d460dd9330899a8658f58e038b1e522aff0e25e3dc71a321

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            4aa9395e67e03f8c599805e86e7184ef

            SHA1

            2549ad8f235a19d47ebd97576743b04aa21048cc

            SHA256

            f8cbfcff1158ae817f623d1dd7c5cccff2416afc0e88c85c71455366229ee1bb

            SHA512

            a4873ea8a495befd122e6cdaebe98777bfa62fd35f588706b7fb80115530043af730635f8ac5a7832d169933b209f0df4f3672daa9270f2b1863b92920da98d5

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            03c8c98bf833e4ef15b159237036261c

            SHA1

            d5d6d16399852c35fb0f225d2ed2fa7f5a474121

            SHA256

            b89c7634dd462ae5fdbb4a3ffa4eda9c51e8aaee4ab240877dd65e804fdc2c98

            SHA512

            3b25a0118e1eecaf1a3057e8752e3b397debc801a22e3b434b3b9ae22b63d704cda59181a52a5ebf818f945464c3f03c7ff62bad30f8e84e96e49984d0ea7f21

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            28c65370f12e84b734af87ad491ea257

            SHA1

            402d3a8203115f1365d48fa72daf0a56e14d8a08

            SHA256

            4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

            SHA512

            56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            64B

            MD5

            9f634ac78c368fe166be13fe7abd33f8

            SHA1

            60c3229ec80ac4cd2647fe782422189bed182bee

            SHA256

            df94d257819cc70d18ab828f8c0a5b368f0accdd8570ab187d14d5fe3c95e3ed

            SHA512

            a7c01b104cbd41e402ce7a5898fd45f6b2f169f88c90154defd438cfeaf10678d5bf78578a20674082f641ce82a6a97ad9013f0019fe1638949ff1516df925d0

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3omffvol.yla.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          • C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

            Filesize

            967B

            MD5

            ac2630d19c707d3e03eb91fcdb276fd2

            SHA1

            4113cc58e352582dc798ea2d0fc54fbdd8cc7403

            SHA256

            b33a5d3fcfe3b9b7f1d99fa1e12a3b30af302354ee069bc26c5c527f81b2b630

            SHA512

            bd54dc31ed409cbc9a10b02ed1147d62893643f2b032d94b2a57e4c93fdc699240ba6d090290c33a5f84b17a8b963288b77f1894360caf3b3b6538ef46f7ba1d

          • C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58db96.TMP

            Filesize

            59B

            MD5

            2800881c775077e1c4b6e06bf4676de4

            SHA1

            2873631068c8b3b9495638c865915be822442c8b

            SHA256

            226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

            SHA512

            e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

          • C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity

            Filesize

            524B

            MD5

            ec93bceb00842895418f2ed27b201285

            SHA1

            4cdf6de5ea905ee95801c25a31b53be9fd5836ae

            SHA256

            7dad12d2422c6b222eabd8e1f082d42d85c6961264ba27a7ee4348ff7baf5bb3

            SHA512

            feca4dd1bbf29c3e0d659b03f12ee80636171a212dbc1ebb4e5693867dc428f853e3cdceb5c4e04583e437d23cc2cfa4a1734bc841b6d17081dfe18114f27161

          • C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity~RFe582333.TMP

            Filesize

            357B

            MD5

            3e62570f308a94d267368b6abd856911

            SHA1

            861f2e5bfb4daf37fb5cc83177ef7234fe07d908

            SHA256

            dff853d99c3faa3499e2d535e9774b09cfc83005f86cb8490cabc9498ff117b7

            SHA512

            5e1b5158e31dc4675a7f47853ff225bdfd31d327e845b21ee2ac0832204ed6090d266efe430eb1d57376b40d1ec84762b993377ec90d3fafdc09a770830b4b25

          • C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

            Filesize

            57B

            MD5

            58127c59cb9e1da127904c341d15372b

            SHA1

            62445484661d8036ce9788baeaba31d204e9a5fc

            SHA256

            be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

            SHA512

            8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

          • C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57ef42.TMP

            Filesize

            86B

            MD5

            d11dedf80b85d8d9be3fec6bb292f64b

            SHA1

            aab8783454819cd66ddf7871e887abdba138aef3

            SHA256

            8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

            SHA512

            6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

          • C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log

            Filesize

            4KB

            MD5

            d08c5abff79328c3b5cd96d94e48303e

            SHA1

            1eb5eb8f41726cd6a1ea3ff912c61b17f694bed2

            SHA256

            04b61164f17b033637439c79fd23d2fc02c641b92234a54296f9d4c206d30832

            SHA512

            6e2706fabc228cd8ed6f8bee941b950c510467225678c0082c36b2a94cd799e748d44078c4745e0c5953a1f8c63bb53f66828ab52c7a927c266c186c91131adf

          • memory/876-124-0x0000022AB82B0000-0x0000022AB84CC000-memory.dmp

            Filesize

            2.1MB

          • memory/2032-90-0x000001F2616F0000-0x000001F261766000-memory.dmp

            Filesize

            472KB

          • memory/2032-93-0x000001F261670000-0x000001F26169A000-memory.dmp

            Filesize

            168KB

          • memory/2032-94-0x000001F261670000-0x000001F261694000-memory.dmp

            Filesize

            144KB

          • memory/2340-128-0x000001EAD4410000-0x000001EAD462C000-memory.dmp

            Filesize

            2.1MB

          • memory/2828-735-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-741-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-740-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-742-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-743-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-744-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-745-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-746-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-736-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/2828-734-0x000001FE53DC0000-0x000001FE53DC1000-memory.dmp

            Filesize

            4KB

          • memory/4032-82-0x000002581F040000-0x000002581F062000-memory.dmp

            Filesize

            136KB

          • memory/4032-89-0x000002581F540000-0x000002581F584000-memory.dmp

            Filesize

            272KB