30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultimate Tweaks.exe
Size

168.2MB
MD5

02c4b9609f04037960d947113bc2a017
SHA1

b593fc590fafb5e11ccceb199ff405874183c4e8
SHA256

3b47e84d5ca6ad15d2e8916d6cbd6af9ab943a42e84241e0517eaab66b5ef214
SHA512

d4b3d0f440f6c61716dc156494e0be5cb4053d170d8917f7686e26734023c4e29785f354f0bc21912da06a33547573256379874027dc990cdc91d648f176826a
SSDEEP

1572864:9QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:vBKRcAMyAzB

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2064	powershell.exe
4528	powershell.exe
4468	powershell.exe
2132	powershell.exe
2056	powershell.exe
4604	powershell.exe
4760	powershell.exe
4172	powershell.exe
3504	powershell.exe
5036	powershell.exe
3168	powershell.exe
3668	powershell.exe
2268	powershell.exe
4524	powershell.exe
4336	powershell.exe
900	powershell.exe
2368	powershell.exe
4144	powershell.exe
4992	powershell.exe
3444	powershell.exe
3992	powershell.exe
732	powershell.exe
2396	powershell.exe
3336	powershell.exe
2792	powershell.exe
4872	powershell.exe
3800	powershell.exe
1764	powershell.exe
3592	powershell.exe
1780	powershell.exe
920	powershell.exe
4112	powershell.exe
3024	powershell.exe
1928	powershell.exe
2628	powershell.exe
716	powershell.exe
3168	powershell.exe
3500	powershell.exe
1348	powershell.exe
4968	powershell.exe
3956	powershell.exe
4376	powershell.exe
5044	powershell.exe
3244	powershell.exe
760	powershell.exe
644	powershell.exe
4616	powershell.exe
3436	powershell.exe
2492	powershell.exe
4804	powershell.exe
1564	powershell.exe
1668	powershell.exe
4968	powershell.exe
2312	powershell.exe
3264	powershell.exe
1208	powershell.exe
4920	powershell.exe
3600	powershell.exe
1916	powershell.exe
5044	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	powershell.exe
2396	powershell.exe
4336	powershell.exe
4336	powershell.exe
4112	powershell.exe
1208	powershell.exe
4112	powershell.exe
1208	powershell.exe
900	powershell.exe
2064	powershell.exe
2064	powershell.exe
900	powershell.exe
3024	powershell.exe
4968	powershell.exe
3024	powershell.exe
4968	powershell.exe
4920	powershell.exe
1928	powershell.exe
1928	powershell.exe
4920	powershell.exe
1564	powershell.exe
644	powershell.exe
644	powershell.exe
1564	powershell.exe
4616	powershell.exe
3956	powershell.exe
4616	powershell.exe
3956	powershell.exe
3600	powershell.exe
1764	powershell.exe
3600	powershell.exe
1764	powershell.exe
2628	powershell.exe
2368	powershell.exe
2628	powershell.exe
2368	powershell.exe
3444	powershell.exe
3592	powershell.exe
3444	powershell.exe
3592	powershell.exe
1668	powershell.exe
3992	powershell.exe
1668	powershell.exe
3992	powershell.exe
4376	powershell.exe
3336	powershell.exe
4376	powershell.exe
3336	powershell.exe
4524	powershell.exe
4524	powershell.exe
1916	powershell.exe
1916	powershell.exe
4524	powershell.exe
1916	powershell.exe
2056	powershell.exe
4528	powershell.exe
4528	powershell.exe
2056	powershell.exe
716	powershell.exe
3436	powershell.exe
716	powershell.exe
3436	powershell.exe
5044	powershell.exe
3168	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe
Token: SeIncreaseQuotaPrivilege	2396	powershell.exe
Token: SeSecurityPrivilege	2396	powershell.exe
Token: SeTakeOwnershipPrivilege	2396	powershell.exe
Token: SeLoadDriverPrivilege	2396	powershell.exe
Token: SeSystemProfilePrivilege	2396	powershell.exe
Token: SeSystemtimePrivilege	2396	powershell.exe
Token: SeProfSingleProcessPrivilege	2396	powershell.exe
Token: SeIncBasePriorityPrivilege	2396	powershell.exe
Token: SeCreatePagefilePrivilege	2396	powershell.exe
Token: SeBackupPrivilege	2396	powershell.exe
Token: SeRestorePrivilege	2396	powershell.exe
Token: SeShutdownPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeSystemEnvironmentPrivilege	2396	powershell.exe
Token: SeRemoteShutdownPrivilege	2396	powershell.exe
Token: SeUndockPrivilege	2396	powershell.exe
Token: SeManageVolumePrivilege	2396	powershell.exe
Token: 33	2396	powershell.exe
Token: 34	2396	powershell.exe
Token: 35	2396	powershell.exe
Token: 36	2396	powershell.exe
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeIncreaseQuotaPrivilege	4112	powershell.exe
Token: SeSecurityPrivilege	4112	powershell.exe
Token: SeTakeOwnershipPrivilege	4112	powershell.exe
Token: SeLoadDriverPrivilege	4112	powershell.exe
Token: SeSystemProfilePrivilege	4112	powershell.exe
Token: SeSystemtimePrivilege	4112	powershell.exe
Token: SeProfSingleProcessPrivilege	4112	powershell.exe
Token: SeIncBasePriorityPrivilege	4112	powershell.exe
Token: SeCreatePagefilePrivilege	4112	powershell.exe
Token: SeBackupPrivilege	4112	powershell.exe
Token: SeRestorePrivilege	4112	powershell.exe
Token: SeShutdownPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeSystemEnvironmentPrivilege	4112	powershell.exe
Token: SeRemoteShutdownPrivilege	4112	powershell.exe
Token: SeUndockPrivilege	4112	powershell.exe
Token: SeManageVolumePrivilege	4112	powershell.exe
Token: 33	4112	powershell.exe
Token: 34	4112	powershell.exe
Token: 35	4112	powershell.exe
Token: 36	4112	powershell.exe
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe
Token: SeShutdownPrivilege	960	Ultimate Tweaks.exe
Token: SeCreatePagefilePrivilege	960	Ultimate Tweaks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4640	960	Ultimate Tweaks.exe	80
PID 960 wrote to memory of 4056	960	Ultimate Tweaks.exe	81
PID 960 wrote to memory of 4056	960	Ultimate Tweaks.exe	81
PID 960 wrote to memory of 3464	960	Ultimate Tweaks.exe	82
PID 960 wrote to memory of 3464	960	Ultimate Tweaks.exe	82
PID 3464 wrote to memory of 2832	3464	Ultimate Tweaks.exe	83
PID 3464 wrote to memory of 2832	3464	Ultimate Tweaks.exe	83
PID 2832 wrote to memory of 4884	2832	cmd.exe	85
PID 2832 wrote to memory of 4884	2832	cmd.exe	85
PID 3464 wrote to memory of 4336	3464	Ultimate Tweaks.exe	86
PID 3464 wrote to memory of 4336	3464	Ultimate Tweaks.exe	86
PID 3464 wrote to memory of 2396	3464	Ultimate Tweaks.exe	87
PID 3464 wrote to memory of 2396	3464	Ultimate Tweaks.exe	87
PID 3464 wrote to memory of 1208	3464	Ultimate Tweaks.exe	91
PID 3464 wrote to memory of 1208	3464	Ultimate Tweaks.exe	91
PID 3464 wrote to memory of 4112	3464	Ultimate Tweaks.exe	92
PID 3464 wrote to memory of 4112	3464	Ultimate Tweaks.exe	92
PID 3464 wrote to memory of 900	3464	Ultimate Tweaks.exe	95
PID 3464 wrote to memory of 900	3464	Ultimate Tweaks.exe	95
PID 3464 wrote to memory of 2064	3464	Ultimate Tweaks.exe	96
PID 3464 wrote to memory of 2064	3464	Ultimate Tweaks.exe	96
PID 3464 wrote to memory of 4968	3464	Ultimate Tweaks.exe	99
PID 3464 wrote to memory of 4968	3464	Ultimate Tweaks.exe	99
PID 3464 wrote to memory of 3024	3464	Ultimate Tweaks.exe	100
PID 3464 wrote to memory of 3024	3464	Ultimate Tweaks.exe	100
PID 3464 wrote to memory of 4920	3464	Ultimate Tweaks.exe	103
PID 3464 wrote to memory of 4920	3464	Ultimate Tweaks.exe	103
PID 3464 wrote to memory of 1928	3464	Ultimate Tweaks.exe	104
PID 3464 wrote to memory of 1928	3464	Ultimate Tweaks.exe	104
PID 3464 wrote to memory of 644	3464	Ultimate Tweaks.exe	107
PID 3464 wrote to memory of 644	3464	Ultimate Tweaks.exe	107
PID 3464 wrote to memory of 1564	3464	Ultimate Tweaks.exe	108
PID 3464 wrote to memory of 1564	3464	Ultimate Tweaks.exe	108
PID 3464 wrote to memory of 4616	3464	Ultimate Tweaks.exe	112
PID 3464 wrote to memory of 4616	3464	Ultimate Tweaks.exe	112

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1628 --field-trial-handle=1660,i,15471706491566341362,3712111011299238001,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2124 --field-trial-handle=1660,i,15471706491566341362,3712111011299238001,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:4056
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2392 --field-trial-handle=1660,i,15471706491566341362,3712111011299238001,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5036
- C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1560 --field-trial-handle=1660,i,15471706491566341362,3712111011299238001,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
316ba4162a98ff003c76d3391603ad98

SHA1
3c3081e235974a722b5a15fdf99a67e68a2125e2

SHA256
245490b0b903075f4c62ae1d8e39d3298c7aa606310a740182bff3a358169ab4

SHA512
fe2d8d332014ca7c72f7f17d75a1a8de71cfd70f930ff9c638eb343c5c5a94b634e6896c372446e75a6092ca8b9c21f1fd1be7814b77c22d4acc08c1053726b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
0fd0469f84481ad75c8239c8415a1a4e

SHA1
b8c1eb62d3075b02bc458f269414b9cf7f9feb12

SHA256
060b98dfd990fff9a7c339dd72c4da3968aeb055c1ae68084c86aea257747d52

SHA512
2c68ef8a52e1eefa54c59bf068e39ae920410a8706afc8fe7ace1f474a2ff971bf3a7557f2fa8f597aacdf17f2eff5bd93be664e573c862e413d662e3c369e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
35290d5cd9df2c4a47bcca00981bb37f

SHA1
d40430173baf7bfe1d2494b01e64385e5bf67e19

SHA256
0b69cc352136c494bd869f581cf6c3b166f1acebc1ab9fb470cb729683182453

SHA512
e6244af8305a6938c2e9ca334339b5cd2a3a656f26e6b431a0041d008ef5b46fe62335444b288a4a74ff312a7f1221d19299e03a9a10c475b764d2d4b19ad7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
17d4696ded887c120052961857470fdc

SHA1
9ddfe5b13c9fb62387cafac44833c2c2cff78bc6

SHA256
4379cfd30d913d452dd0388de7a09481dc2a800c87b7ad2e17f9f7834350c7c1

SHA512
92e5f811744b703010ebcce53d620e44b58776f6e8aacb348e8879011216aebe73e064d9c7822e7b88a6c06b0fee1d0f3aafd66b28027a9fb980b1cc9eca4f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
0cde187a7e5ebb6d57cdd08ca45bcee0

SHA1
ed0fc42f07ce807e2c89bea9bd1a97cb31f3f3a5

SHA256
baa7ea1ae458a40f928dc062ac71f47bfb47c85fd76e1749cc4645d29fa5a15e

SHA512
f0220ae1cb689a20634ac0127993fc268e9141ebbd65e234a083711bd259ed6a9ee00a92024367bb148bf3a08dc70712c1f0d68aaa5cda8812b132121ba9bec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
9bd13b7fd9a96f9e36efec41d02c8750

SHA1
8fb8ef671310cce88b893f56541f257365502d6c

SHA256
fb073dace06964d5a017d5fa851da00a45080de9862866ff862469ea3f9d8742

SHA512
601326449f1d4e9030abf5ab4a2ef640006e9d894a7ab57a8c92995c5405e56fbbc836307ceec5b722880565a76463100a323b207c71a2caf4a0766e5e864cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c0c5132c736538326dc661e55a5c46cd

SHA1
ee9676ef1e4e27b7c1310b1e7d7445c27143e66f

SHA256
4862a5e02f3709cc22f363a2414af7e7813ef24fcbdfcbafc2a5ea24b3411052

SHA512
ed7f50a867e3e9f8d5dfa60b57aae48b6fc45feb4b26d1a754c0346a711d498adbceda0dc8a7d198ca05c2eba88baa2488e91df0f678e2ef9e9641de26bc4f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
376B

MD5
58f1b36a273e837f6e4a290733052ee7

SHA1
a596b6a97f55b84640e4e2773573aaa796653ff7

SHA256
dfefb199002d10e9795bbccf1a19c275ac0faf7b27c68b6d4f3b2fcf36df50e6

SHA512
8cf1b82db08774ff112572995cb8ecb23dfb5036b55fc0f63ef4bf66cca80d6eaf05a9e89cf902265d437c0330d9875800658ccd90ad9887d858667de10b1427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f02179dd49afea4c3a182bdfd479bfa

SHA1
f5aa60570c034775e4ee625eb7e359dd961beeca

SHA256
2d11a1bd7fda8fab32f814673a251ac7a3f8fd416dc81a4137ceb73a16c10fce

SHA512
0cc9825321a132ca7984c15e2b3d154c88dfc6c284d4770448a854879b3fe03b0b8e6e3683c8193e3a0bd0b02c3afcba9457453957cd9c5cb6cd42dcca0e64e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
f93951e235bc0183eaa5f1b353411c96

SHA1
99301664c5033aee9c53200c3b460803585560c9

SHA256
2341e36648d192816cf027206b5ec6f31ea87aa88e625ddb7b81688bb380b5c4

SHA512
89d49795e427f223178d07bce360c66e6773230541eddc867ff085065c8a339a8dddb9ef4fadc1da026b07db2754495d3a5fa564b56f75c9907a922211cec28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4bc7864adce6efa2ba035eb450ed3f5

SHA1
c2c619f53c30e156fa7d9c81b2b0300aa97e1fbe

SHA256
cdfe81e01956d7f99d9b187663129055da265ba4fd6ed1c265d523ba6de6b154

SHA512
aa51610478d301eec6363e13854155d5d80d42807b15f7ef01cb3f488a8e96f884f1e7e060652a280f75d4c172f0524b5620262402c7eed1ffe41cc89812ceeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
31fa6751e50d42ac13bd27565462bc6a

SHA1
424f0d8babdb31195a2affa30a28643f0893cd6c

SHA256
33e16e7302d5d4ceb37603ca4aa433d6af3defb8297aef4f8f60818629ce8a5c

SHA512
0fdef395384f6954d817be2a9c79c0b2bfd1cd27760d0767833a22e1a8ee5c300aee18482753a9b018c116c5ff2c694dbf0b18b3b303dfc0be850042f29b40cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a6419391d1082646a6cffac0df7c4e64

SHA1
b87e4253cbe7e37025f06d452d8bd4196cb683f2

SHA256
d048743e871d819c19400c1c839d5c39b5f9f8ad79ac02c0d3b10df5f27f2257

SHA512
1a996e2456e26e4449f882a47bbb250bab6592261c9c83977100a1a5b8c80e42c1c296076075482ec0caf4992a9f77a0523ca6c75409af8556e23d66f8cb027e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
27c3eb040e773ce2a8841e557ae70804

SHA1
942d5cdfa7d064e2a4b8d464ec5e6b378d6666d7

SHA256
96cca52a819876934c0508a9e6eece4ab06a8ca59d5076a0032ed14c524b9aca

SHA512
0230a98bd075781bc30b8bdd751e2d0dbe6b7707b0bd226991f44768b3c6db7da318ec67f77910427a1c3895c7d57e5c27789fe05d230dcf0ff21295a4c5beb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c5bc01774e20858b3bb186b046368a5a

SHA1
93c29a81d01ec4c09015131cdb8034c5adf67bd0

SHA256
5349b62296a4f4d576ebe927fb70c1c4c88704bdaf8df2270c236d6decbd1157

SHA512
5b988f31f41ffb516bd27a9e459a749262868d00797ee5ce943261b56a64995e76c93721bc0d91f3b318adc9be2104cba0cdcbe25321ce6a1eaa8a04c6857102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d8a2b74b9388d036c096d8940375d5c4

SHA1
bc8b2197bc1f603297bf466dcb1af5bb07295c4d

SHA256
34b5ae30a806f90c5f77ad277bcbb1e3d25318b7ff434a81ac8dfc45514e06ba

SHA512
f7aea4d15c8c2975667fff35086c6c4e6427209aa7e4d7b2ddca5fb48530abd20205056ae42c36c07c1e5707977accc5093e1d3eabbd9188fa379cc367d34ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
208B

MD5
51ddaf2fbcc27737b3d5037cca105af3

SHA1
d95608a5afa4c25d724bc00da01185d881e27057

SHA256
2c5e51487093d715886ca782e8610d340d5314180be7ba30bea80668ab8dfa69

SHA512
b298b5c91f65b246d096369dd8a5d570afbd31bed87c70b7d43731c35fc8ec86341a4226dfac06479330285ea37b9f23f28ad6e4f0916c93cff189a13a47d15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
76417e1cdecc7c4840b1b6d15c00f5ef

SHA1
03d6c18053c45ea157a1b40d087c8dedccda0076

SHA256
1cfed33b1cafd9cb5d0fc144abdd6d4376609ea423406c0c7c07662ba64806a3

SHA512
7a7e668159163c0256f9e82ec449e7e6bae305675199f2a6f002661dacafa3a286ee6b855cec57e2db6dd47ad5889ab37edcc906cf0934e089beebcd6c89c375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7853d38514a8146ba2284981a40cb700

SHA1
68d959e15bec395a3d3596209255b351d178b91e

SHA256
844aaf758b1187d64ea3cb45d6a3fd69fe92e0c1242c2dc9e83fb3781f2d33f1

SHA512
a1694889c2d4357b7dc1c29e706e3f8aef5178ae6739ec0e4478ec62cf325662b20918f334caca63e79c97e0170d0cd4b0653f28e597b14fe53ceb48315e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
dc0a1f8ea50802021914f31b9218ff53

SHA1
e3f030e14a894d97ad7d922a49d4b02836831652

SHA256
28d26af382012f6942373bd18c97719456ee881a75404cefc0348ffa291932fd

SHA512
3cbe874d61b12184c6853bf3959c2d6d63e923593523f7ad7aa9e92711ea8d74eeb7075150578361459d84362ddf53c3c6da9ed7be94f17943aaa798fb0e3f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8584236124bc234b300f39b400760cea

SHA1
843be35b2af23b827cbde56d4905e88775ad1a0e

SHA256
6f91b5f4b9a0692f18ac460822f35a33101d522495af6ceab9af31bce4ddbce8

SHA512
1d369990cc6676a487c5f01038e4474baf509e32d28a03e5d1a087821a97637ce9c1d0f2c01b05769d38e47f9c261a630d68705362495a7d950af6c51512f114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ee4bbd4d8141d6983ff42682e0c8f1ed

SHA1
cbb46156e7cb293817113dfb77bdb9d13f737fc8

SHA256
77b7d2849e49df1fd6bbbe030317ee8954baef7ed00860c0b0c729fccd748f63

SHA512
9b82ce06eef3fb4ac1985f6528a96e2f9f386529948ef33a5c649501a5612b941230408cf0f8727d8f6c659eaf3dbaca206956d7d2cfe32eda1dbdecb10b4d4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c45a645e11900e798729785b77bf4bb7

SHA1
6741ba36b5fc34a2a1a118bb977723578f252034

SHA256
329b547679909d3d2bc481f3101f261911d9cf7dcfc3bce224479b31a576456e

SHA512
32eba7f627e833968ee011281d05b2a769d53db7c00c45dd39717e2e64f3d5474877dd9372bbd2652aaed827d887129c32980eadd18b2c47c3bd8f67b59d1333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
88d8905352133b581ccc0ed193856bc4

SHA1
d896cf8e5391f28b8a8c27e8feeaffe41eefb8e3

SHA256
ebee66d72b0bf4e464c93f941a0c0a9aa2137e4571f15c9be89104a83e1d54c1

SHA512
2d76ddd59d8a4695d57c25a821379d441b6761fdd637ad9226a5ec7ed03814a6d6e7634c77dc31f28fdec3258ca6e642fe4545b1e9a5cf2837d8618ada9ad86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
989ba7edc43b500e15f2b916ce5a99fd

SHA1
94a2f7e685eef114971aeef618a6a9dd227fbc91

SHA256
81711ebad6d16b9f2c2754dacc2c4fb99039a359d2b584d398fc4886905adabb

SHA512
003b87c3685f4632f499724dab2a4ba55359347df4c141646d02c321a50c5a374efd45551c00a2a3d0f3b109c17c046d17681a649766a9a6f3f464544b34cb53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e23159b24a04457ca9bfa36085f7ae2d

SHA1
802093d1131bfe5b2d688f52f1e867818185e2a0

SHA256
533463270189f80ab8d673ded5d2a6f0797d975356352b3372091214435cf6dd

SHA512
6cdb86956191f0a99a28173e1b794608ca51cade8356e5ce9d57afd7590c0e226843dee2998c3db5fd58bd5a49fa3a2b67e44d0897f98631da7e9bf331ec9047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
43607b34727d4093b3c56b8e39a4b4e9

SHA1
7bfcefe644fef5441f31b73a5f37314cb3cf5771

SHA256
8abf1b466d3e919b2426cb5090fac38b63b623d072579e819d838d563ebe5ada

SHA512
f59087702875bc2ff49d2593360440c9ec7383ad04ab58a496fdf59664305a39ec6e6068676e2a6e9f69bfaa6966c070e45a366a1215f140b2161c4b2cf6e150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
136B

MD5
276579eaeacf363c5e1d003c4b310409

SHA1
d362d323c98f01a4c373e10fa4e3366c071e611b

SHA256
55977472091168aea3b17c03c921e45954134720491fcd10bfee836a1da563cb

SHA512
eebf3759acdc8e0923fbf72a0ae05fef890050b21cdea73cd04bb4fcbf8b8a88ce1dccd1d500b12bf8991804af3eff9c16ef4e6fb62cb5c80c42e63d5402fb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e80135180462862810164b49163707b2

SHA1
69fcb50c03fad47fc4951eaf654bd4853641a37f

SHA256
312b0b5a5c337c4c99b0a509e07a50a7d5d3f1d3993d29fc949af590a58f4c9a

SHA512
b89d3844d24a942a612947ab9a65a30d874a10ee6fe4b44a058c6bdd3d95d8aef3a439a3a960977f0031838b2a1b47698904147534953eb758ce4f832373e67b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
cc7ffe2b1da3d28e1a8a1f23ca25ac81

SHA1
abd2654bf25b47465b977468430fb801f8429067

SHA256
15034684519e2d03cfbf284c44d54e9d55bf1b35fe51b49cb2060d0ad39c076c

SHA512
5f9b52ad229d08c9a94af26849223725a90b6969b3d95baa402da9865e7e464f106da7d3301eef70ed895a01f1f1f5b826dae79d7d1719d0a19e6203a23611de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
69fdb810bf95d5f6df1cbf743b4998d4

SHA1
09db709797a97223f62a2fab39a8268265df4669

SHA256
fb0af8c5b01041e841891a78bfab1583dfb94dc59f6817e2bc5d370e769cf972

SHA512
6e78dc2197a363de12e6a436d6ab3905ac9ff380534aeacb7b3b6a0a89b2434080b0b772a323ad254c9488c514bb329e969d43d366b5872f4dfd32ba3bb63076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
81ad8eb93f1efe12adcb014675f3a03a

SHA1
c72c1b2a4948ce7631117176e2a126fa139fef05

SHA256
60cb94e2c41039f643ddfaf12babb62ff01f6194e4ba61f882f5384296ac5d26

SHA512
f77b8f1b2e3ef66d4ba8ce8622b7593cf281e14004a664c1ba1d55a116cc811e0088321aff9c4478bfa314b670a72962bed5ef31e016d94e13a682e9f43d9fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
f2439add080938600be83763b57822f4

SHA1
056c3b1a84de10e2ba3a1c3e6a635f098f2a07c5

SHA256
d3de2f4eb66fa79e9d091fbee9df359e1eba5723c7d1bb9532af5c515861e0ad

SHA512
d0ffbfe8e2e19f51b56503e744d6eda5b15e1538a93a61ff0ad92c1c67522ada495f03e336852781de89832df5b933bacaca305d87b66de1472dda36a53c07a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
254B

MD5
26bdb55a0abfa930e1d12a27f17fd19b

SHA1
80d4043a229c1f0581790126e5d25d6d70db202b

SHA256
9377b2cea0e58c28caf60b36642a4bc104cab18fbb14f7d0c3208cb9a70d66fe

SHA512
a4949470fc5396c7d86d08668e7ff87b9426ae58d276db8f33c9e05eab55d06014cfc068399cc21745a0edc9920e4eed48bef6ad1c92e7d9d5c898fdb2b22e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gucbtndc.2os.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
849B

MD5
0fe47c9f2c9770d1fa187f1559f1c3c9

SHA1
bd5d8eb135a78fa7fe92c9ceca52ca2548c9083d

SHA256
7dde3df1894fb39f779e968c3476ebb9395813382f0df1f489cd6e58cadc7540

SHA512
1dbe2f3e359ff3b2fc61543e8be7691a9b038de2390d4c46dffa7ffb52265bfb3ddc7af2ce35ad77c616f7e491130640f7d1871f107e0010979d4a248b33a2fd

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58d164.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57e4c2.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log

Filesize
4KB

MD5
0bd511df2b2e9efdfe9e13c13cf9c767

SHA1
15ff6afe79bfa4aad388ebc4a3e1275698c5276f

SHA256
cca8c8f0bfae6a7e74dbd9fb80ddd4697fb6a903fbe379e923bd5a9eb107cdd3

SHA512
8bc4f8ea898e13aa7f0af2e9e4af5ba335fe9a5ec4da905b517449be4d098ddeb3fa6e8097d879305bd29063e1c1cf9a297a0dc81fc78f9e6f6b6d1b6a5de75f

Download Submit
memory/2396-92-0x000001E2358D0000-0x000001E2358F4000-memory.dmp

Filesize
144KB

Download
memory/2396-91-0x000001E2358D0000-0x000001E2358FA000-memory.dmp

Filesize
168KB

Download
memory/2396-87-0x000001E235880000-0x000001E2358C4000-memory.dmp

Filesize
272KB

Download
memory/2396-77-0x000001E21D2B0000-0x000001E21D2D2000-memory.dmp

Filesize
136KB

Download
memory/3468-909-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-916-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-915-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-914-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-917-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-918-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-919-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-913-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-907-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/3468-908-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

Filesize
4KB

Download
memory/4336-88-0x00000173F2DD0000-0x00000173F2E46000-memory.dmp

Filesize
472KB

Download