3863fe1d3a3cae271b02417e5f3c4ced2f227c27e55905e198fec820a19eaf62

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.bat
Size

37KB
MD5

3c8a495ee741b9c8cea966ae960bba48
SHA1

190cabc05240c6fc20d2dcfefe7df306101e97ea
SHA256

3863fe1d3a3cae271b02417e5f3c4ced2f227c27e55905e198fec820a19eaf62
SHA512

5b86790dacff4d3cbc710da2915e546f4ac5cb327529340d6e79932e091ae01ff474ae3f239ea816051d38610399ad95b060dccca761de6e064cbb5bcfca454e
SSDEEP

768:AFsYL7ruEDHs2guEDHsaOmmmnUjQxOn1TO:AFsY/BmmmnUk01C

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5040	sc.exe
4880	sc.exe
1808	sc.exe
2896	sc.exe
3044	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4180	powershell.exe
1996	powershell.exe
3032	powershell.exe
32	powershell.exe
1572	powershell.exe
2500	powershell.exe
5084	powershell.exe
4104	powershell.exe
4760	powershell.exe
940	powershell.exe
4860	powershell.exe
2112	powershell.exe
3972	powershell.exe
2988	powershell.exe
3756	powershell.exe
1396	powershell.exe
464	powershell.exe
4508	powershell.exe
4940	powershell.exe
3212	powershell.exe
1772	powershell.exe
232	powershell.exe
3320	powershell.exe
2724	powershell.exe
3460	powershell.exe
868	powershell.exe
1516	powershell.exe
2380	powershell.exe
1044	powershell.exe
4000	powershell.exe
2384	powershell.exe
5092	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3212	powershell.exe
3212	powershell.exe
5084	powershell.exe
5084	powershell.exe
4104	powershell.exe
4104	powershell.exe
3460	powershell.exe
3460	powershell.exe
1772	powershell.exe
1772	powershell.exe
2988	powershell.exe
2988	powershell.exe
3756	powershell.exe
3756	powershell.exe
4000	powershell.exe
4000	powershell.exe
1396	powershell.exe
1396	powershell.exe
4180	powershell.exe
4180	powershell.exe
232	powershell.exe
232	powershell.exe
464	powershell.exe
464	powershell.exe
2384	powershell.exe
2384	powershell.exe
2112	powershell.exe
2112	powershell.exe
3972	powershell.exe
3972	powershell.exe
32	powershell.exe
32	powershell.exe
5092	powershell.exe
5092	powershell.exe
1996	powershell.exe
1996	powershell.exe
868	powershell.exe
868	powershell.exe
940	powershell.exe
940	powershell.exe
1516	powershell.exe
1516	powershell.exe
1572	powershell.exe
1572	powershell.exe
2500	powershell.exe
2500	powershell.exe
2380	powershell.exe
2380	powershell.exe
3320	powershell.exe
3320	powershell.exe
4508	powershell.exe
4508	powershell.exe
4940	powershell.exe
4940	powershell.exe
4760	powershell.exe
4760	powershell.exe
1044	powershell.exe
1044	powershell.exe
3032	powershell.exe
3032	powershell.exe
2724	powershell.exe
2724	powershell.exe
4860	powershell.exe
4860	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 2112	4660	cmd.exe	83
PID 4660 wrote to memory of 2112	4660	cmd.exe	83
PID 4660 wrote to memory of 3768	4660	cmd.exe	84
PID 4660 wrote to memory of 3768	4660	cmd.exe	84
PID 4660 wrote to memory of 3248	4660	cmd.exe	87
PID 4660 wrote to memory of 3248	4660	cmd.exe	87
PID 4660 wrote to memory of 4724	4660	cmd.exe	88
PID 4660 wrote to memory of 4724	4660	cmd.exe	88
PID 4660 wrote to memory of 640	4660	cmd.exe	89
PID 4660 wrote to memory of 640	4660	cmd.exe	89
PID 4660 wrote to memory of 3932	4660	cmd.exe	90
PID 4660 wrote to memory of 3932	4660	cmd.exe	90
PID 4660 wrote to memory of 2788	4660	cmd.exe	91
PID 4660 wrote to memory of 2788	4660	cmd.exe	91
PID 4660 wrote to memory of 4572	4660	cmd.exe	92
PID 4660 wrote to memory of 4572	4660	cmd.exe	92
PID 4660 wrote to memory of 852	4660	cmd.exe	93
PID 4660 wrote to memory of 852	4660	cmd.exe	93
PID 4660 wrote to memory of 2848	4660	cmd.exe	94
PID 4660 wrote to memory of 2848	4660	cmd.exe	94
PID 4660 wrote to memory of 3988	4660	cmd.exe	95
PID 4660 wrote to memory of 3988	4660	cmd.exe	95
PID 4660 wrote to memory of 1416	4660	cmd.exe	96
PID 4660 wrote to memory of 1416	4660	cmd.exe	96
PID 4660 wrote to memory of 4852	4660	cmd.exe	97
PID 4660 wrote to memory of 4852	4660	cmd.exe	97
PID 4660 wrote to memory of 2304	4660	cmd.exe	98
PID 4660 wrote to memory of 2304	4660	cmd.exe	98
PID 4660 wrote to memory of 3428	4660	cmd.exe	100
PID 4660 wrote to memory of 3428	4660	cmd.exe	100
PID 4660 wrote to memory of 4508	4660	cmd.exe	101
PID 4660 wrote to memory of 4508	4660	cmd.exe	101
PID 4660 wrote to memory of 2988	4660	cmd.exe	102
PID 4660 wrote to memory of 2988	4660	cmd.exe	102
PID 4660 wrote to memory of 3152	4660	cmd.exe	103
PID 4660 wrote to memory of 3152	4660	cmd.exe	103
PID 4660 wrote to memory of 2328	4660	cmd.exe	104
PID 4660 wrote to memory of 2328	4660	cmd.exe	104
PID 4660 wrote to memory of 1724	4660	cmd.exe	106
PID 4660 wrote to memory of 1724	4660	cmd.exe	106
PID 4660 wrote to memory of 4872	4660	cmd.exe	107
PID 4660 wrote to memory of 4872	4660	cmd.exe	107
PID 4660 wrote to memory of 864	4660	cmd.exe	108
PID 4660 wrote to memory of 864	4660	cmd.exe	108
PID 4660 wrote to memory of 928	4660	cmd.exe	109
PID 4660 wrote to memory of 928	4660	cmd.exe	109
PID 4660 wrote to memory of 3744	4660	cmd.exe	110
PID 4660 wrote to memory of 3744	4660	cmd.exe	110
PID 4660 wrote to memory of 4264	4660	cmd.exe	111
PID 4660 wrote to memory of 4264	4660	cmd.exe	111
PID 4660 wrote to memory of 3620	4660	cmd.exe	112
PID 4660 wrote to memory of 3620	4660	cmd.exe	112
PID 4660 wrote to memory of 3948	4660	cmd.exe	113
PID 4660 wrote to memory of 3948	4660	cmd.exe	113
PID 4660 wrote to memory of 1648	4660	cmd.exe	114
PID 4660 wrote to memory of 1648	4660	cmd.exe	114
PID 4660 wrote to memory of 4072	4660	cmd.exe	115
PID 4660 wrote to memory of 4072	4660	cmd.exe	115
PID 4660 wrote to memory of 3688	4660	cmd.exe	116
PID 4660 wrote to memory of 3688	4660	cmd.exe	116
PID 4660 wrote to memory of 4568	4660	cmd.exe	117
PID 4660 wrote to memory of 4568	4660	cmd.exe	117
PID 4660 wrote to memory of 3068	4660	cmd.exe	118
PID 4660 wrote to memory of 3068	4660	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:3768
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
  2⤵
  PID:3248
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
  2⤵
  PID:4724
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
  2⤵
  PID:640
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
  2⤵
  PID:3932
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
  2⤵
  PID:2788
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
  2⤵
  PID:4572
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
  2⤵
  PID:852
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
  2⤵
  PID:2848
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
  2⤵
  PID:3988
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
  2⤵
  PID:1416
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
  2⤵
  PID:4852
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
  2⤵
  PID:2304
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
  2⤵
  PID:3428
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
  2⤵
  PID:4508
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
  2⤵
  PID:2988
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
  2⤵
  PID:3152
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
  2⤵
  PID:2328
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
  2⤵
  PID:1724
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
  2⤵
  PID:4872
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
  2⤵
  PID:864
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
  2⤵
  PID:928
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
  2⤵
  PID:3744
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4264
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3948
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d "1" /f
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "sendcustomerdata" /t REG_DWORD /d "0" /f
  2⤵
  PID:4072
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "includescreenshot" /t REG_DWORD /d "0" /f
  2⤵
  PID:4568
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d "0" /f
  2⤵
  PID:3068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d "0" /f
  2⤵
  PID:1864
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "SendTelemetry" /t REG_DWORD /d "3" /f
  2⤵
  PID:2832
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "qmenable" /t REG_DWORD /d "0" /f
  2⤵
  PID:868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "updatereliabilitydata" /t REG_DWORD /d "0" /f
  2⤵
  PID:860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "shownfirstrunoptin" /t REG_DWORD /d "1" /f
  2⤵
  PID:3580
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "skydrivesigninoption" /t REG_DWORD /d "0" /f
  2⤵
  PID:960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\ptwatson" /v "ptwoptin" /t REG_DWORD /d "0" /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Firstrun" /v "disablemovie" /t REG_DWORD /d "1" /f
  2⤵
  PID:1164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "Enablelogging" /t REG_DWORD /d "0" /f
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d "0" /f
  2⤵
  PID:940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2912
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "accesssolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:1060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "olksolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:4476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "onenotesolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "pptsolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:5056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "projectsolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:4280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:4180
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "visiosolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:4920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "wdsolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:3356
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "xlsolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:1792
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "agave" /t REG_DWORD /d "1" /f
  2⤵
  PID:4556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "appaddins" /t REG_DWORD /d "1" /f
  2⤵
  PID:3172
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "comaddins" /t REG_DWORD /d "1" /f
  2⤵
  PID:3252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "documentfiles" /t REG_DWORD /d "1" /f
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "templatefiles" /t REG_DWORD /d "1" /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:532
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:2036
- C:\Windows\system32\sc.exe
  sc config xbgm start= disabled
  2⤵
  - Launches sc.exe
  PID:5040
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  - Launches sc.exe
  PID:4880
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  - Launches sc.exe
  PID:1808
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2896
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3044
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.People* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsAlarms* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsCamera* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsMaps* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.3dBuilder* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *Sway* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *WindowsAlarms* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
958ec9d245aa0e4bd5d05bbdb37475f4

SHA1
80e6d2c6a85922cb83b9fea874320e9c53740bd9

SHA256
a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d

SHA512
82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa3ef299a1ab7db019f52b16e941c9b9

SHA1
e3b49e86124f9edcee09dc1fda17352fd0b95abe

SHA256
c5a342cc452255ef50d31e3763223845f6bb601781c7a838bd9e2349e15e1fbb

SHA512
c5d4a09f02a1b63cfe9501be2b6a262b111e6943f3969170d98e797ffb96359773407d748f146b890a33173200d25abc3c487e105a57db93d3b15bca3782d3c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b438ade7ad1c1428f0b7e15b600d6c56

SHA1
8ea11e0acddc8d0c882797d5b39f28ec08716b58

SHA256
0fa3f87ba8b529ac52e315e1164adec5c050c1adc50041ce9488de6d265ea56f

SHA512
ec5671112f25c2549432d4dfc21d49426ac60ccd1910cdb1ed80e99cbc2f26d75e2506d3675f5b8e5b6ff6917c3be847fd4af55eb3b6e5bfa6cc40528f1edff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d63080f09e32f661654eb2796ae3e135

SHA1
35ae0822f30f84e8bc173fb1d54f47c481a1af3d

SHA256
d379ae3ff5c8ab55abdca01c613593bdf0104be110202220fed19d9299b0667e

SHA512
67347a08012c35127959da635dbfa8a2901d2146fbf8339794df2daa1b51fa03d5158d2842916bada94dc8843aea2dfd0cd617b13203df51cc4a790dccb3a007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3de4803cf47c0daa82e0c57bb34b0341

SHA1
2a08dbdcac41747d05e5bb177464da8fd1007c1a

SHA256
6b66df6e4ab2d39daffa1a0f2d13f72f6fb9377f6999c18a1d5c8410fad0b6c7

SHA512
1e671304ae6a8c4cc891e0f89014d95c8feb72cee99a0d2ff904579714e4acb0c6cb73650bf63f8d87dba39b5b3dfc3fd2d5ac8fd62442a85e96176bafd075ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45fb6aefb9512d6361e86ea57bec5af7

SHA1
fbdc65d05895cb4e5bcc18c1b541bd5480ea215c

SHA256
42161603166b6a722916c2a58c2311dde3c21563c10d5a6646e12bbeca5ca846

SHA512
8a8c81bc8987355f2129f97aa75d05d6b25d08b2bba013a8626ee53c95d4e120e78d282b3df1c4f7badc81ddb32bfc3e03a94ca72e8523d73feca740e6b91422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a82c6a0a555bf739100a16b550b03eb

SHA1
93fbc25564a121bd63c0052c754815058d6b8c95

SHA256
a26781aa566e75a5bae25dee58dc9428a75c9f957d875982c5ac35120cbacb17

SHA512
c94b976e0b85a8542b0eacacf9c4c44edb5b6c7b852054218132eaeaa3a4a46bd6a8bfd2c16b8b46e1ba989be38eb91004259f4dcc3872b0cefc3fb29f6d8592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51eced1155f657a856527dd33db31f19

SHA1
c5e28a62a17cd6720fb173a1f9edd0c4be706ae5

SHA256
8b42540fd9f0460e1f0e0085ba92bc0347116144521d1d2dc8f817ffa0e29698

SHA512
45a5f2f5d2ad833c45bc9a9182a41d73434e5638ab63d9342466226d11d26f73188b31b4d22031e0b1d949b950d31aadbf10677b5d8cc6b8c9097557c4fef486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8ea16dc34955cb0d6ca8733d82b1734

SHA1
c48af373f633c46409c13ceee8798ca9edf4c0d0

SHA256
93748b00894a302f19fabf4021af3c7cf71f842442e089fd90a34aeacc6eb480

SHA512
b69edc5ff5cc664de422121d85743d65257895e9be100c0716eaab3c4c6e6642e85b604cd8dffff9879bb8e8fb299588fa4cd1f5a66bb0603779cfcff3dd609d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3e9e610a46281096889066aa97cefb7c

SHA1
d34811ae07c4540880551ea46af599e4e4e75f5c

SHA256
a195c9fb18b7e31adad20a5f7d7ba15d3693c5e81c3bda1c62e73bf5a7c5d8a6

SHA512
ccad608bde3594eae8c267a705db0da9dea5e9896754a1a71f62bf5b7bcdcbecab375209e9b9a460b9270065682a1f083164591856cd3bdd3ba44ab00c820850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9e3d57f8b5af30022a60e584c1db44de

SHA1
b4dde0dfa72ab6adb1a1da735037265bd3ab023f

SHA256
0a87ec46a13bb1d4d57ac03f09ebdc1a03df8566c8b449d85470609a7f10d4d7

SHA512
9110d66d228b1a8a2235a1ad40abc0cfb626705cccd7165a7933ce7208f16622720f1729bef7fc88037e308970339386d0943e28303bb36e59a0448f1af0d0e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b3f86a65c51942d317877937fe7c253

SHA1
3c98ce61083a93d8181206dd0eb9ee81fa5e1907

SHA256
ba7ac6a6d21df9d08e8f4e06ccb30df709c965ff5b9f17d2a8f554f68e80f9e3

SHA512
aa0398a57b31f2a72c1379e7865b72e9c683b5e42754140d42af7fed391bb22831e9684f1efdc43b8e8ef8f5531cc1353da342878b674b348689617c01784a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4fcdc94bc505a516138068eed89e2d2a

SHA1
1c7350a455f3aa3666aa74d2de62f18bfe8137df

SHA256
cf95aee7cd10279a35288121bfee6da6462e82994772970e5c638f90129ae317

SHA512
7137ddc0c22c15168e01ac14dbf2ef8a06b959abf59754c3ae97cf9f3f11be72099778efe32b313416060f77ad5d34680cf5645b387f95381e9eaef6e818bb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
355bc6262d59a20c6e786e5239793a27

SHA1
5241c0a0790d972255cc7d6988073ed4d0066bef

SHA256
9d6a7cd09b7d58a9e2c27711f4223fccbde34a8d346c16e63d714fe93d844bfd

SHA512
8d26a6960b87c5cac80dbadaefc99ed3cccaf5a4a3fd18b4c34820010e3861f34d67f037fc242f3f9970747c2ab3edf79e96e68e47505ea47499da719ab6255d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
48d9d937221b5793e8eca762cb7252d2

SHA1
b305e928128d51b5dc8e29f9074d3e87a7fdbc19

SHA256
b7abc1cd09730a9745f3f134bc04acb4074a0cd8542a0faa77fa4e5b0419c44b

SHA512
0b7071d98f17e0a16f0138ae49181f130d9e71eaebfef600e3c6924bf9ce5540bad8cd9a7ccfa0247cd318cdf2e71a357245e0c01cbb48f792fc7998bebd36a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2c4cf6ce6ce675db0e7678481404436

SHA1
72d46d79c544ae9ca19515ded7aacb963f849412

SHA256
e48d0323b3093a9fbf8e78301698ff09c23f57b74c4f636eb0972886158cc000

SHA512
2938c81bea125c8f9fe7e34757041dbf6e78e4e07bb933c1ba309e74130b5fa38acf240ae1a1f051f8a0d4927cbd77dd837c5014d11128355957987fa69af825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f9094ab56e1f259de564b91d32cd8122

SHA1
377468da947ef106365b7f45e2dd8593e0e47e3f

SHA256
9519473e93435fea127d47c1293a68c851f62e95a22e244bd53ba0da30161377

SHA512
bca0340a5e835ade04b1d2393d57b86cf2707a8580c9695c2fd5b64c9904eef0b5fef8132d23efe857d6e1e4a934271fad6c47ab16dc3f755598fc6f6f36d0ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ae00a68b432eae438ac684e8b5bcf65

SHA1
ac4a65dbc21a43f2c4de69ecb814ade9b8167067

SHA256
b4b2c6983d0c47a5292483bc8bf5eed51a0be6a0d9531926535c4e6640dd9c85

SHA512
4555e93f102e4625d959ef14a8696ad8e96bc7883bdc62192fe128506ee4e5a360f2291c2472caa4e82102697ad9689e7f12db7e77d8515063b86d647899ff9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
933f2a4a27884bb5980e0f97247f615f

SHA1
937f75503298f9eb15f155cbde25b794de0b8eeb

SHA256
ca3d0b08005c1dd1a41544329c95347b5b97a398d473f156f26e574ad9d92532

SHA512
40c6e7bcb9351b112372dddd1a08732968b375e33eb79e46513db5d242afad89d1ca5f10c8f532640d08654b58b86222de8114b06ae4692a935dc890813558cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9bfec656c63c355799e288eb03b986c

SHA1
41bb798ea20ea62d75fd2cc65e3bd97b45f3bd56

SHA256
0702799c1e7118fca209f125338a69eefc94d3883bb23fcc5642e0f50cbde15a

SHA512
89a388787d643cc2e43df8fb6bed693512105ce3a993907713bc03f5fc36caa1cedcbedc1524a5995a068724586ff58c94a72efe2586058e72aee9c5428b22fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca55b40ca632a67652aa291a0aa40c5f

SHA1
8c725a80fe71b5a7c4226edcc58dc737bd4bb022

SHA256
771816586acfc9104e93751806dfb70c7fea1136a41e802d24d4ddcae064a463

SHA512
dbcab6eb5e122a6fbf708da0abc9b3d691627c1ba342ee43ba01d20ca2b400e7e688d685347d994e15650fb2ae8b20518d5351484cb8cfecf308d2b576d59f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0a8670be4b7778a448e03bedd766820

SHA1
4175d160eb77940fb4484f78ef416febee151e03

SHA256
2fda78c587197f988baabae56446592845dddb429ccc0726603f6657aea4c8a9

SHA512
1970b51c7c45233c93d42264ecfa20a6ad761b7c2eba6d5a1c7c27004d6808289a0735c7e3335e2f124e5928fb38e431b3e3c4b187deacaf6778b1a95f97b997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75327ff252635d5c132eed9102f1eb65

SHA1
7b8a6d2fa29de6b0976dc4b22cb2342ac02acec5

SHA256
b003343daa0a300e56e48898687896a592a3b26eeb85482b0f1cdf98c61d9e34

SHA512
a45e4de148459772060c62a7c4ef82da9a736ea9e3083528ef85511827e6e1a5070f4e213b09124e173f07afc382d89644c5b90d188934e0171e71ae688443ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53c8f1ef77e866c20b31bff69e330073

SHA1
b16072d792d1a6f0455d6bf9d14070c6060cacd1

SHA256
8791c182ce83a788e5bc13177e66f725538be3dc6bcf566c34072b7f15b42bef

SHA512
66644f90c563977de6c34f48647e228990fea5bfefc73b82a0d15fd33fe650fbf2bf45d5b59a726a5bfe4d87b8869df2b88ca4b3f0ea85cf82df1bfb08ab905b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
396e331c87e72ecc54c90a0344468e48

SHA1
1ccdd7f137136d52c090c074ade6c6c26a1fe2d0

SHA256
6e4d72da2dade44e4d51c51d5107833a46eba5cdad62b3df322365a245ffabe1

SHA512
a4624d63c9a28cd66dbda5aad1d1dff97da490e856b51ef54b5bde0a0496d408e86aeea5ef752a7398dc2d32ac35a92db2c8ad6beb8c307d8d8c0a8b7641b692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
410f5e291206661c9f54ff5b6d56fdd6

SHA1
ff255a1bb2e8e6764f8d492f628e554ac7e0444d

SHA256
1df1dabf61cd2e1370fd0e4170a34bc3eb516cffa39b373a5d78bd5083d748b1

SHA512
cb55f3901b90d03e2bf315d04c1e53f2bb71994cb49a1a08ca22c3800abadf76ede95abdd3c209f381dc67e660ad50dbd9049c8501d8668509ddcd63dbd56b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
495079f648d219063282fb51e1ce2d59

SHA1
c5943da7a9f21e1af79e0492ba7c5de11be80b35

SHA256
cb3f9c8eaa03c821bc07a3991fe676419e1442161e2b58a97c1e7be2b68d1c33

SHA512
202da530b5bd8c66128b2b2b94c30bb2ff16b2a69a4a2426a8ca31cb578f8ce5bf9204e3878e7e26586cc38be199ea533ca3635419e9f755108ff2e8fc8162b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c6021572f9c38e569e16035147ddeef3

SHA1
2464ef5bb92553764d262d68150920a9ce066373

SHA256
bf02f6d8d2d203fb43692d61dee7c73d42d99549e694b2e4d6fc8b16168322b2

SHA512
a86b30d6ac54a4d81d11cb8a470e47536c5d91dc8016aa06aa3374ca94c1a7fc509ab33c8886292ef19d18beba4f39ff1fe4b00aae1a424a8cc6e0ff8440139e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dee5fd86b5080d0ca53254050e277d1

SHA1
0fa5b91ff4c9aa5df4a2358b50e2d64ca65a58d5

SHA256
eba36dbf3ae8999fc358c6acd377803964e8c4e0d8fe1942e51aecb03b49b1f4

SHA512
079714506d233da17027f21e69e177a369f934c9daca244ed635960fb54bc3f326b5b683ae88be4845e6881557d0bbd9c3c22ae7afbc26f929758e48873da757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a5185811549b6897cd75b06a36ce6cd

SHA1
78cef1944ad3c8cfd7f2e57b2970b35d9feac141

SHA256
08067f0f0227a820828ac7c9f02634717514d8f88a1cf2a9ac8c2d419057e4fd

SHA512
6b66b375420fb1db804f0615af6883c4ee9255d8ddd72a383f9c8334dfcc5cef970938ee2600344a400a3a1e09e61c4c3845859780add28228f75a982e5b4bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
048d091d24bf89c28e2417e7398ba197

SHA1
9ec9535fc34d09e4706fa215cebd8a61bd8778ad

SHA256
88721d486104058420c80dfe60fcd47594d5fe461eeb5d3370e1e4c1a1b72843

SHA512
37620d42e1e6a68ede4525763e5fadac302240b3fc8f65176fb050697c69f43406c6170b86d1b8544635ea3b9eb0fdf69bfdef543fc876afad1968f225ab003f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ba634f836cafba9b7ea0c46143533bc

SHA1
26e72e57a26bd841bdbe7564afa83619b63690ce

SHA256
8f3510bd8e34088756ae669cad322a9303df1849926a42323c28c37b9540a0d6

SHA512
423edae8a12b53c269e06ec2be5cc5403d00d1cfddd62d7b49eccca6c8ead4ff3b3119fc310148b164898b944f0b32c714a1332c1095b92d4ad65d0d8c75a7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkofbol1.s2j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3212-5-0x00000191D41E0000-0x00000191D4202000-memory.dmp

Filesize
136KB

Download
memory/3212-10-0x00000191D4450000-0x00000191D4466000-memory.dmp

Filesize
88KB

Download
memory/3212-11-0x00000191D2150000-0x00000191D215A000-memory.dmp

Filesize
40KB

Download
memory/3212-12-0x00000191D46F0000-0x00000191D4716000-memory.dmp

Filesize
152KB

Download