30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Resubmissions

21-09-2024 21:03

240921-zwgnxstdke 10

21-09-2024 20:29

240921-y9lz5asajd 10

Analysis

max time kernel
35s
max time network
45s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-09-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultimate Tweaks.exe
Size

168.2MB
MD5

02c4b9609f04037960d947113bc2a017
SHA1

b593fc590fafb5e11ccceb199ff405874183c4e8
SHA256

3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
SHA512

d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
SSDEEP

1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score

4^/10

execution

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

Ultimate Tweaks.exe

description ioc process

File opened for modification C:\Windows\SystemTemp Ultimate Tweaks.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	Ultimate Tweaks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4972	powershell.exe
3876	powershell.exe
788	powershell.exe
5020	powershell.exe
2268	powershell.exe
2280	powershell.exe
4808	powershell.exe
1204	powershell.exe
4012	powershell.exe
4824	powershell.exe
808	powershell.exe
4540	powershell.exe
3240	powershell.exe
3132	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ultimate Tweaks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2280	powershell.exe
2268	powershell.exe
2280	powershell.exe
2268	powershell.exe
3132	powershell.exe
3240	powershell.exe
3240	powershell.exe
3132	powershell.exe
1204	powershell.exe
4808	powershell.exe
4808	powershell.exe
1204	powershell.exe
788	powershell.exe
4012	powershell.exe
4012	powershell.exe
788	powershell.exe
5020	powershell.exe
4824	powershell.exe
5020	powershell.exe
4824	powershell.exe
808	powershell.exe
4972	powershell.exe
808	powershell.exe
4972	powershell.exe
3876	powershell.exe
4540	powershell.exe
3876	powershell.exe
4540	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Ultimate Tweaks.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeIncreaseQuotaPrivilege	2268	powershell.exe
Token: SeSecurityPrivilege	2268	powershell.exe
Token: SeTakeOwnershipPrivilege	2268	powershell.exe
Token: SeLoadDriverPrivilege	2268	powershell.exe
Token: SeSystemProfilePrivilege	2268	powershell.exe
Token: SeSystemtimePrivilege	2268	powershell.exe
Token: SeProfSingleProcessPrivilege	2268	powershell.exe
Token: SeIncBasePriorityPrivilege	2268	powershell.exe
Token: SeCreatePagefilePrivilege	2268	powershell.exe
Token: SeBackupPrivilege	2268	powershell.exe
Token: SeRestorePrivilege	2268	powershell.exe
Token: SeShutdownPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeSystemEnvironmentPrivilege	2268	powershell.exe
Token: SeRemoteShutdownPrivilege	2268	powershell.exe
Token: SeUndockPrivilege	2268	powershell.exe
Token: SeManageVolumePrivilege	2268	powershell.exe
Token: 33	2268	powershell.exe
Token: 34	2268	powershell.exe
Token: 35	2268	powershell.exe
Token: 36	2268	powershell.exe
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	1992	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	1992	Ultimate Tweaks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ultimate Tweaks.exeUltimate Tweaks.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1368	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 2364	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 2364	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1416	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1992 wrote to memory of 1416	1992	Ultimate Tweaks.exe	Ultimate Tweaks.exe
PID 1416 wrote to memory of 4752	1416	Ultimate Tweaks.exe	cmd.exe
PID 1416 wrote to memory of 4752	1416	Ultimate Tweaks.exe	cmd.exe
PID 4752 wrote to memory of 3708	4752	cmd.exe	chcp.com
PID 4752 wrote to memory of 3708	4752	cmd.exe	chcp.com
PID 1416 wrote to memory of 2280	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 2280	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 2268	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 2268	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 3240	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 3240	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 3132	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 3132	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 4808	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 4808	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 1204	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 1204	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 4012	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 4012	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 788	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 788	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 5020	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 5020	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 4824	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 4824	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 4972	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 4972	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 808	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 808	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 3876	1416	Ultimate Tweaks.exe	powershell.exe
PID 1416 wrote to memory of 3876	1416	Ultimate Tweaks.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1676 --field-trial-handle=1680,i,8190602469219589272,11493323375662170241,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2092 --field-trial-handle=1680,i,8190602469219589272,11493323375662170241,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2300 --field-trial-handle=1680,i,8190602469219589272,11493323375662170241,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0254494a4c89bf8f623066957ccb7ea1

SHA1
0a31bf0f80c2e5caaf36fdf4266b72379cfb3751

SHA256
ffda9233d24b63e14924cddc16d3885111c7cf09abe840547c0a266c2000687f

SHA512
8f8c04122ae09f4a544d482eb72c30fc6d1ae9840e4247eb9e7a5cbe6e912fbff9132afc78974509923c24c30a8049199d43d83aba49b8a66ab78316546673bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
552B

MD5
1d5ca7c89ce55d6a92cfe1433e6272a4

SHA1
6cdfc27fc510d2cd98fa5c3e72adc42b8eb7b9e0

SHA256
2ad1078da68d3cac3fee04eb5af4bfa9b1c62c0fab034cf77e782b303ad3f7ea

SHA512
8f05357559514b14f713f204592799db35aab3fb58290205d0095f7b3aa0ff694f2a83fe8d6bead1f951d6e51eba1f3a78d1a912501801e3805668b26fd5dcdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
73e52cbac252eba1d0474a8c17692ad4

SHA1
14e12f81435d5f8dfe26892ea6bc0453b01dfd0d

SHA256
0698989c4bb59a28e9d2d1fc5565b66f2d572ac3cde00e52d9275c3ecab243b2

SHA512
f177f9fbc591cb0e708872199ae5495ab8c045ead470762a6fbc98e342c61701b4a939493d4b3f2384c26cfcd905df7fba06778d9164d735d707231cc1b6a52e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
9a6fca612cf6c3667e4c335a12999dab

SHA1
f02386264dcb3d8880a5755424ac95e09e1f97f3

SHA256
de45039fb7deb974cdc10deb97a3278a2b97f5b1cf30e4224858a4c8bb9e20a3

SHA512
8e31c14d5b996259f2339e00cc838f03585f7541f3a26373f3ca3a29515d98ef738158bab21f3ece8a55bf54fbbd803d3ea51165d30edb66ec80b9eb117c4d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
ef10b9f3709cc2b96b097688dc092ed3

SHA1
dd19d160b010d72bdc67516e83ac81dfa3452002

SHA256
8f80c2e226d1c405902f8a33f375dd496cba120d80c12f345f56129ca62f5d09

SHA512
d205311be847d71fb13fafcc58de50afdbc5263bdccf8ebd470971001fba15ab87d4df8862edb7356ac88ea4e27dace9f488d3c0903a236c637a9865416cc4f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
1bc247829e5e5db34b6618cbed66d188

SHA1
a087ab6a406453aadd55ccc708fd93e9db69eb18

SHA256
a066000624cc1eac2356192861ca570f35941df15294d5206d02d648b6b22fc5

SHA512
d8ff4cf85a821a981a3c1357d6ddb3a48f750d02333b4f243cb889fac70231cc8a436f0d80e0a77e3366388416ba8b96df29b8ba231620cbffdc86b58e6abeca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
347eddb65fa4501ada998199ea8672fb

SHA1
c6ff104ef1507909831660d4d8201648231a6c78

SHA256
bf049a83c6f3c0d0d1490228a6781f3f27cba0092909c3810d8c9cc2b9add74b

SHA512
740f47ac2ae1ee03ca9c350d5cf1261888e3c8f84564829b7a816d421976866ee9a1b8238e5430969e0213730b6e9f2cc1631a6f3b91e9584488946c76af6f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
861d3d9e5ccef7a1f6df025e7e9a3f47

SHA1
06ce091459e1fe3ec67adf425b3a08a95a324ffd

SHA256
fba37dd359bbf956d18186996b500a7dd78dd948d25528cbe04ef77ad3f4a9c4

SHA512
9fb89db22862145f70118c03e0880b20b1cd4a05c38a2bf71a77d8e000f75f94ba2d3ae5777789e35884a796ee2c4cfa9fe05d3d05a75dc96b6fcc144f8b8f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_js4vanyy.flw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57dbaa.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log

Filesize
4KB

MD5
b20c7cb5a06898acb0a05c5205392af6

SHA1
d0ddf3944d2db3327cfa4c09f69ea37b46db4d1f

SHA256
209c24d595f486b0e16c6a3901c74e08683705317b13c0c70bd101f7dd0f5e0c

SHA512
c570c98867e8f09185c618079322e425097980ff0d6c28a26046dc0c3623d2679146307e0c9ad1a8c53816fe5dfb81662c771361656e51e46c48f14a0dc2c97e

Download Submit
memory/2268-90-0x0000022E33B20000-0x0000022E33B4A000-memory.dmp

Filesize
168KB

Download
memory/2268-73-0x0000022E33640000-0x0000022E33662000-memory.dmp

Filesize
136KB

Download
memory/2268-91-0x0000022E33B20000-0x0000022E33B44000-memory.dmp

Filesize
144KB

Download
memory/2280-87-0x000001EFFDD30000-0x000001EFFDD76000-memory.dmp

Filesize
280KB

Download