4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/Apps/ps7.bat
Size

1KB
MD5

b83b3e4786261c97aceb379ab170e81d
SHA1

96d92ee43eac3e67ad6959b6f66012dcc51fd992
SHA256

5741408cf05b802d5a67eab4ed0ec9cdf965b0fa718187eb3d72376b47dadb1c
SHA512

d8bcab23933d4fdbd67089349861a5c95ff4ed2a823c647e647d5c8dc853d44e5a9d48d339937d11a3dcc3d5233f2b88fc2144733d1467eb528c6b63b85dcf63

Score

10^/10

dropper execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://chocolatey.org/install.ps1

Signatures

Blocklisted process makes network request 37 IoCs

Processes:

flow	pid	process
23	5040	powershell.exe
26	5040	powershell.exe
29	5040	powershell.exe
42	1268	powershell.exe
43	1268	powershell.exe
52	2516	powershell.exe
53	2516	powershell.exe
54	1932	powershell.exe
55	1932	powershell.exe
56	5040	powershell.exe
57	5040	powershell.exe
58	4360	powershell.exe
59	4360	powershell.exe
63	2588	powershell.exe
64	2588	powershell.exe
65	3252	powershell.exe
66	3252	powershell.exe
67	4992	powershell.exe
68	4992	powershell.exe
73	4876	powershell.exe
74	4876	powershell.exe
76	1100	powershell.exe
77	1100	powershell.exe
78	3176	powershell.exe
79	3176	powershell.exe
80	4844	powershell.exe
81	4844	powershell.exe
82	4408	powershell.exe
83	4408	powershell.exe
84	3496	powershell.exe
85	3496	powershell.exe
86	4568	powershell.exe
87	4568	powershell.exe
88	3636	powershell.exe
89	3636	powershell.exe
90	1976	powershell.exe
91	1976	powershell.exe

Download via BitsAdmin 1 TTPs 36 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid	process
3928	bitsadmin.exe
2888	bitsadmin.exe
980	bitsadmin.exe
4312	bitsadmin.exe
1196	bitsadmin.exe
4364	bitsadmin.exe
4764	bitsadmin.exe
1512	bitsadmin.exe
4064	bitsadmin.exe
1004	bitsadmin.exe
4776	bitsadmin.exe
1616	bitsadmin.exe
4380	bitsadmin.exe
1464	bitsadmin.exe
2688	bitsadmin.exe
2012	bitsadmin.exe
1352	bitsadmin.exe
180	bitsadmin.exe
2012	bitsadmin.exe
368	bitsadmin.exe
4012	bitsadmin.exe
3868	bitsadmin.exe
3376	bitsadmin.exe
4996	bitsadmin.exe
1984	bitsadmin.exe
1636	bitsadmin.exe
1032	bitsadmin.exe
2660	bitsadmin.exe
3888	bitsadmin.exe
4348	bitsadmin.exe
3388	bitsadmin.exe
2540	bitsadmin.exe
2320	bitsadmin.exe
1536	bitsadmin.exe
4836	bitsadmin.exe
2256	bitsadmin.exe

Executes dropped EXE 1 IoCs

Processes:

choco.exe

pid process

3176 choco.exe

pid	process
3176	choco.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 35 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3996	powershell.exe
212	powershell.exe
1588	powershell.exe
4904	powershell.exe
3996	powershell.exe
2012	powershell.exe
3608	powershell.exe
1908	powershell.exe
3060	powershell.exe
4892	powershell.exe
3268	powershell.exe
1156	powershell.exe
3392	powershell.exe
376	powershell.exe
1708	powershell.exe
2364	powershell.exe
2908	powershell.exe
3176	powershell.exe
4844	powershell.exe
4876	powershell.exe
1100	powershell.exe
1268	powershell.exe
2588	powershell.exe
3252	powershell.exe
4992	powershell.exe
5040	powershell.exe
5040	powershell.exe
4360	powershell.exe
3636	powershell.exe
4568	powershell.exe
1976	powershell.exe
2516	powershell.exe
1932	powershell.exe
4408	powershell.exe
3496	powershell.exe

Drops file in Windows directory 54 IoCs

Processes:

wusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exe

description	ioc	process
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 18 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
404	timeout.exe
5084	timeout.exe
3652	timeout.exe
4240	timeout.exe
3612	timeout.exe
4760	timeout.exe
4340	timeout.exe
5012	timeout.exe
3948	timeout.exe
1736	timeout.exe
5004	timeout.exe
3608	timeout.exe
1472	timeout.exe
2488	timeout.exe
4424	timeout.exe
1820	timeout.exe
2096	timeout.exe
3172	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
5040	powershell.exe
5040	powershell.exe
3392	powershell.exe
3392	powershell.exe
1268	powershell.exe
1268	powershell.exe
1588	powershell.exe
1588	powershell.exe
2516	powershell.exe
2516	powershell.exe
3060	powershell.exe
3060	powershell.exe
1932	powershell.exe
1932	powershell.exe
1708	powershell.exe
1708	powershell.exe
5040	powershell.exe
5040	powershell.exe
4904	powershell.exe
4904	powershell.exe
4360	powershell.exe
4360	powershell.exe
2364	powershell.exe
2364	powershell.exe
2588	powershell.exe
2588	powershell.exe
3996	powershell.exe
3996	powershell.exe
3252	powershell.exe
3252	powershell.exe
4892	powershell.exe
4892	powershell.exe
4992	powershell.exe
4992	powershell.exe
3268	powershell.exe
3268	powershell.exe
4876	powershell.exe
4876	powershell.exe
2012	powershell.exe
2012	powershell.exe
1100	powershell.exe
1100	powershell.exe
376	powershell.exe
376	powershell.exe
3176	powershell.exe
3176	powershell.exe
3608	powershell.exe
3608	powershell.exe
4844	powershell.exe
4844	powershell.exe
1156	powershell.exe
1156	powershell.exe
4408	powershell.exe
4408	powershell.exe
3496	powershell.exe
3496	powershell.exe
3996	powershell.exe
3996	powershell.exe
4568	powershell.exe
4568	powershell.exe
212	powershell.exe
212	powershell.exe
3636	powershell.exe
3636	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeBackupPrivilege	5040	powershell.exe
Token: SeBackupPrivilege	5040	powershell.exe
Token: SeRestorePrivilege	5040	powershell.exe
Token: SeSecurityPrivilege	5040	powershell.exe
Token: SeBackupPrivilege	5040	powershell.exe
Token: SeBackupPrivilege	5040	powershell.exe
Token: SeRestorePrivilege	5040	powershell.exe
Token: SeSecurityPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.exepowershell.execmd.execmd.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 4956 wrote to memory of 1848	4956	cmd.exe	cmd.exe
PID 4956 wrote to memory of 1848	4956	cmd.exe	cmd.exe
PID 4956 wrote to memory of 1888	4956	cmd.exe	cmd.exe
PID 4956 wrote to memory of 1888	4956	cmd.exe	cmd.exe
PID 1888 wrote to memory of 784	1888	cmd.exe	chcp.com
PID 1888 wrote to memory of 784	1888	cmd.exe	chcp.com
PID 4956 wrote to memory of 8	4956	cmd.exe	chcp.com
PID 4956 wrote to memory of 8	4956	cmd.exe	chcp.com
PID 4956 wrote to memory of 4992	4956	cmd.exe	chcp.com
PID 4956 wrote to memory of 4992	4956	cmd.exe	chcp.com
PID 4956 wrote to memory of 2012	4956	cmd.exe	bitsadmin.exe
PID 4956 wrote to memory of 2012	4956	cmd.exe	bitsadmin.exe
PID 4956 wrote to memory of 4764	4956	cmd.exe	bitsadmin.exe
PID 4956 wrote to memory of 4764	4956	cmd.exe	bitsadmin.exe
PID 4956 wrote to memory of 752	4956	cmd.exe	wusa.exe
PID 4956 wrote to memory of 752	4956	cmd.exe	wusa.exe
PID 4956 wrote to memory of 5040	4956	cmd.exe	powershell.exe
PID 4956 wrote to memory of 5040	4956	cmd.exe	powershell.exe
PID 5040 wrote to memory of 876	5040	powershell.exe	setx.exe
PID 5040 wrote to memory of 876	5040	powershell.exe	setx.exe
PID 5040 wrote to memory of 1276	5040	powershell.exe	setx.exe
PID 5040 wrote to memory of 1276	5040	powershell.exe	setx.exe
PID 5040 wrote to memory of 1564	5040	powershell.exe	setx.exe
PID 5040 wrote to memory of 1564	5040	powershell.exe	setx.exe
PID 5040 wrote to memory of 2024	5040	powershell.exe	setx.exe
PID 5040 wrote to memory of 2024	5040	powershell.exe	setx.exe
PID 5040 wrote to memory of 3176	5040	powershell.exe	choco.exe
PID 5040 wrote to memory of 3176	5040	powershell.exe	choco.exe
PID 5040 wrote to memory of 3176	5040	powershell.exe	choco.exe
PID 4956 wrote to memory of 3652	4956	cmd.exe	timeout.exe
PID 4956 wrote to memory of 3652	4956	cmd.exe	timeout.exe
PID 4956 wrote to memory of 3392	4956	cmd.exe	powershell.exe
PID 4956 wrote to memory of 3392	4956	cmd.exe	powershell.exe
PID 3392 wrote to memory of 720	3392	powershell.exe	cmd.exe
PID 3392 wrote to memory of 720	3392	powershell.exe	cmd.exe
PID 720 wrote to memory of 2728	720	cmd.exe	cmd.exe
PID 720 wrote to memory of 2728	720	cmd.exe	cmd.exe
PID 720 wrote to memory of 4788	720	cmd.exe	cmd.exe
PID 720 wrote to memory of 4788	720	cmd.exe	cmd.exe
PID 4788 wrote to memory of 1388	4788	cmd.exe	chcp.com
PID 4788 wrote to memory of 1388	4788	cmd.exe	chcp.com
PID 720 wrote to memory of 2472	720	cmd.exe	chcp.com
PID 720 wrote to memory of 2472	720	cmd.exe	chcp.com
PID 720 wrote to memory of 2184	720	cmd.exe	chcp.com
PID 720 wrote to memory of 2184	720	cmd.exe	chcp.com
PID 720 wrote to memory of 1616	720	cmd.exe	bitsadmin.exe
PID 720 wrote to memory of 1616	720	cmd.exe	bitsadmin.exe
PID 720 wrote to memory of 2256	720	cmd.exe	bitsadmin.exe
PID 720 wrote to memory of 2256	720	cmd.exe	bitsadmin.exe
PID 720 wrote to memory of 904	720	cmd.exe	wusa.exe
PID 720 wrote to memory of 904	720	cmd.exe	wusa.exe
PID 720 wrote to memory of 1268	720	cmd.exe	powershell.exe
PID 720 wrote to memory of 1268	720	cmd.exe	powershell.exe
PID 720 wrote to memory of 5012	720	cmd.exe	timeout.exe
PID 720 wrote to memory of 5012	720	cmd.exe	timeout.exe
PID 720 wrote to memory of 1588	720	cmd.exe	powershell.exe
PID 720 wrote to memory of 1588	720	cmd.exe	powershell.exe
PID 1588 wrote to memory of 4100	1588	powershell.exe	cmd.exe
PID 1588 wrote to memory of 4100	1588	powershell.exe	cmd.exe
PID 4100 wrote to memory of 4800	4100	cmd.exe	cmd.exe
PID 4100 wrote to memory of 4800	4100	cmd.exe	cmd.exe
PID 4100 wrote to memory of 4992	4100	cmd.exe	cmd.exe
PID 4100 wrote to memory of 4992	4100	cmd.exe	cmd.exe
PID 4992 wrote to memory of 8	4992	cmd.exe	chcp.com

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:784
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:8
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4992
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
  2⤵
  - Download via BitsAdmin
  PID:2012
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
  2⤵
  - Download via BitsAdmin
  PID:4764
- C:\Windows\system32\wusa.exe
  wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
  2⤵
  - Drops file in Windows directory
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133765573400747961
    3⤵
    PID:876
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133765573402154291
    3⤵
    PID:1276
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133765573403404516
    3⤵
    PID:1564
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133765573418404512
    3⤵
    PID:2024
- - C:\ProgramData\chocolatey\choco.exe
    "C:\ProgramData\chocolatey\choco.exe" -v
    3⤵
    - Executes dropped EXE
    PID:3176
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:3652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1388
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2472
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:2184
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
      4⤵
      Download via BitsAdmin
      PID:1616
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
      4⤵
      Download via BitsAdmin
      PID:2256
  - - C:\Windows\system32\wusa.exe
      wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1268
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:5012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        6⤵
        
        PID:4800
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:8
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:784
      - C:\Windows\system32\chcp.com
        
        chcp 437
        6⤵
        
        PID:4304
      - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        6⤵
        Download via BitsAdmin
        
        PID:2320
      - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        6⤵
        Download via BitsAdmin
        
        PID:1512
      - C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:3564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
      - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        6⤵
        Delays execution with timeout.exe
        
        PID:3948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        7⤵
        
        PID:4456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        8⤵
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        8⤵
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3420
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        8⤵
        
        PID:3152
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        8⤵
        Download via BitsAdmin
        
        PID:3928
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        8⤵
        Download via BitsAdmin
        
        PID:1636
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        8⤵
        Drops file in Windows directory
        
        PID:2396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        8⤵
        Delays execution with timeout.exe
        
        PID:4240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        9⤵
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        10⤵
        
        PID:3464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        10⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp
        11⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:816
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        10⤵
        
        PID:3304
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        10⤵
        Download via BitsAdmin
        
        PID:4348
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        10⤵
        Download via BitsAdmin
        
        PID:2888
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        10⤵
        Drops file in Windows directory
        
        PID:1396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        10⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        10⤵
        Delays execution with timeout.exe
        
        PID:2488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        11⤵
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        12⤵
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        12⤵
        
        PID:3212
        
        C:\Windows\system32\chcp.com
        
        chcp
        13⤵
        
        PID:1852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        12⤵
        
        PID:2688
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        12⤵
        Download via BitsAdmin
        
        PID:1536
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        12⤵
        Download via BitsAdmin
        
        PID:2540
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        12⤵
        Drops file in Windows directory
        
        PID:1148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        12⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        12⤵
        Delays execution with timeout.exe
        
        PID:4424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        13⤵
        
        PID:864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        14⤵
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        14⤵
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp
        15⤵
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        14⤵
        
        PID:3900
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        14⤵
        Download via BitsAdmin
        
        PID:4380
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        14⤵
        Download via BitsAdmin
        
        PID:980
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        14⤵
        Drops file in Windows directory
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        14⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        14⤵
        Delays execution with timeout.exe
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        15⤵
        
        PID:5048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        16⤵
        
        PID:4940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        16⤵
        
        PID:3816
        
        C:\Windows\system32\chcp.com
        
        chcp
        17⤵
        
        PID:1864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4008
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        16⤵
        
        PID:4100
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        16⤵
        Download via BitsAdmin
        
        PID:4312
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        16⤵
        Download via BitsAdmin
        
        PID:3388
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        16⤵
        Drops file in Windows directory
        
        PID:3928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        16⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        16⤵
        Delays execution with timeout.exe
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        17⤵
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        18⤵
        
        PID:924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        18⤵
        
        PID:3684
        
        C:\Windows\system32\chcp.com
        
        chcp
        19⤵
        
        PID:3236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1388
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        18⤵
        
        PID:1720
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        18⤵
        Download via BitsAdmin
        
        PID:1196
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        18⤵
        Download via BitsAdmin
        
        PID:3376
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        18⤵
        Drops file in Windows directory
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        18⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        18⤵
        Delays execution with timeout.exe
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        19⤵
        
        PID:1380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        20⤵
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        20⤵
        
        PID:2192
        
        C:\Windows\system32\chcp.com
        
        chcp
        21⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2140
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        20⤵
        
        PID:3780
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        20⤵
        Download via BitsAdmin
        
        PID:4064
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        20⤵
        Download via BitsAdmin
        
        PID:1464
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        20⤵
        Drops file in Windows directory
        
        PID:548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        20⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:3612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        21⤵
        
        PID:4944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        22⤵
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        22⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp
        23⤵
        
        PID:3252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        22⤵
        
        PID:1128
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        22⤵
        Download via BitsAdmin
        
        PID:4996
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        22⤵
        Download via BitsAdmin
        
        PID:4836
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        22⤵
        Drops file in Windows directory
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        22⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        22⤵
        Delays execution with timeout.exe
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        23⤵
        
        PID:1272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        24⤵
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        24⤵
        
        PID:3636
        
        C:\Windows\system32\chcp.com
        
        chcp
        25⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1392
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        24⤵
        
        PID:1612
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        24⤵
        Download via BitsAdmin
        
        PID:1032
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        24⤵
        Download via BitsAdmin
        
        PID:2660
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        24⤵
        Drops file in Windows directory
        
        PID:3916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        24⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        24⤵
        Delays execution with timeout.exe
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        25⤵
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        26⤵
        
        PID:3168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        26⤵
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp
        27⤵
        
        PID:3932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4312
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        26⤵
        
        PID:2172
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        26⤵
        Download via BitsAdmin
        
        PID:1004
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        26⤵
        Download via BitsAdmin
        
        PID:1984
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        26⤵
        Drops file in Windows directory
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        26⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        26⤵
        Delays execution with timeout.exe
        
        PID:4340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        27⤵
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        28⤵
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        28⤵
        
        PID:5084
        
        C:\Windows\system32\chcp.com
        
        chcp
        29⤵
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:5000
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        28⤵
        
        PID:3236
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        28⤵
        Download via BitsAdmin
        
        PID:4364
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        28⤵
        Download via BitsAdmin
        
        PID:2688
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        28⤵
        Drops file in Windows directory
        
        PID:4176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        28⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        28⤵
        Delays execution with timeout.exe
        
        PID:3172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        29⤵
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        30⤵
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        30⤵
        
        PID:4476
        
        C:\Windows\system32\chcp.com
        
        chcp
        31⤵
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2812
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        30⤵
        
        PID:4464
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        30⤵
        Download via BitsAdmin
        
        PID:4776
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        30⤵
        Download via BitsAdmin
        
        PID:368
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        30⤵
        Drops file in Windows directory
        
        PID:5056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        30⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        30⤵
        Delays execution with timeout.exe
        
        PID:3608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        31⤵
        
        PID:3352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        32⤵
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        32⤵
        
        PID:4236
        
        C:\Windows\system32\chcp.com
        
        chcp
        33⤵
        
        PID:4764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        32⤵
        
        PID:3160
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        32⤵
        Download via BitsAdmin
        
        PID:3888
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        32⤵
        Download via BitsAdmin
        
        PID:2012
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        32⤵
        Drops file in Windows directory
        
        PID:3984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        32⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        32⤵
        Delays execution with timeout.exe
        
        PID:5084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        33⤵
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        34⤵
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        34⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp
        35⤵
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4800
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        34⤵
        
        PID:4284
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        34⤵
        Download via BitsAdmin
        
        PID:1352
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        34⤵
        Download via BitsAdmin
        
        PID:4012
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        34⤵
        Drops file in Windows directory
        
        PID:3084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        34⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        34⤵
        Delays execution with timeout.exe
        
        PID:5004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        34⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        35⤵
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        36⤵
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        36⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp
        37⤵
        
        PID:3948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3652
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        36⤵
        
        PID:3176
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        36⤵
        Download via BitsAdmin
        
        PID:180
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        36⤵
        Download via BitsAdmin
        
        PID:3868
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        36⤵
        Drops file in Windows directory
        
        PID:904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        36⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        36⤵
        Delays execution with timeout.exe
        
        PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chocolatey\choco.exe

Filesize
11.1MB

MD5
5bd9b752aea9efb5b02fe30d82e7e4d4

SHA1
450df051653ba65d1068c76a2f117f7e0cc543c9

SHA256
bb69a5899e7d260853e73c7f2a11d92702abc72aca01aadf08172ea87921466a

SHA512
edaf5633ab49b9540d85e7b4d184d26dfa374a193aff629c0fc043bb31aea48edabcc4ec7126e4842e3217b976f8225988655a140386a4518b529cea7cde4933

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.3176.update

Filesize
8KB

MD5
a3f016f5f2bd742ff1591950260f6f75

SHA1
7feabbcc2e2d51c09065071f58da23990e215b72

SHA256
6621f97fca4589b04e4c9a835344371fc3ecdf1f4cdac5c1492c05fcc23629f3

SHA512
ad6a96131221f3e8ac1e5bfc094ae1c09344a65f84b73d6933650e26417a569275e049b564b4c954641c7906a5fbbc886e37fa4a4bfb8216ccf3b519d09c7250

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

Filesize
21KB

MD5
8feb9f84cfd079bf675f4c448eb62c27

SHA1
f0a7c0eb89c94a81d72efaa0d4e72a2acf9a15a2

SHA256
4af7d8dcdba7335f96d4d7f9b7ab75b29a890380d8c7c35c59f60739db8a604e

SHA512
34346669024dcc273338913794103d16b723fbfe7d3fbd6eb89d3561b4e7134906fdaeeabcdaee653f452a9917ed48ed79fbf56e507f9e41e4adb7b4f32f48da

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1

Filesize
15KB

MD5
c1e5f78407a38c0f2bef0839274a30d5

SHA1
2e5d91ff054720b94e7795474e23fbe202635165

SHA256
d47a44752fd6a983f9ab0e48aa8b12a2b0bc772ea0bb380c64723bb8e0b2ccbb

SHA512
81c22988af2065e94e4420e1b71d1bd2c12406a74f0984c7183a4905d4cc397a71728a9b0dc41ea625bb12e231fb002e3c965f92f60bcc12e5b0be81b26e056a

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

Filesize
25KB

MD5
32fdfad78eecf1a6936525069d0eda09

SHA1
bf1f751146e73887de2c54a183d70a005a7453ab

SHA256
0e34c0c610bad2bca1c36e24908003886e6e8d506a7ce5cfee85c921faea61e9

SHA512
e9b9645391589365969e990967b5133de10090c212d000638c1553d98fdf7d0e6f99d9284d6f9f7385a7ffc2d37038bb430ce79bf3a44fa652ae745907833665

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

Filesize
15KB

MD5
7686ed92bc6bc3606d914ac3d6555d73

SHA1
6db9151efb0c2d693ac2acb8099967a7c32fe47b

SHA256
83eb927efcd495e15fd4ff5d043e1f0cf4b2dceded9aeb5a4af3db0cde2bfd8b

SHA512
df7c252898fcf6829632b3d576b72c2a3232b24741fcb1ee50ebe7d7bafe86e0cceeb75f08b22ae177e57c6758572842b341c7d933f229d9d2c99388488b120d

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

Filesize
16KB

MD5
1235a3a21c64fe5563c06f65543d7d77

SHA1
204bcd4af12c7de4c83b2d2cdb22955e6c2eacf2

SHA256
18f1e1dc7ea4c3daae3fc51fd1373330c0132270180ed93bcac7a1d2843353f5

SHA512
b51476e608368120458d276b662a860cb863cc64f41556099c1bbd5c901b3a300b8d4266f44003b14a9d3d25a0832db7afe2c025858ff9d3c194acdabe0ef237

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

Filesize
25KB

MD5
37ce9d39ab4ab1d9e9d9373173152e1c

SHA1
a0e06df561391156ac3623f56afa824173a6e34f

SHA256
bb77491d99fa16f09048e81a2cedc29f3e6397d0d166ba2f72317aca04347c25

SHA512
9f9b21df7bca9c15fac1582900932f77d6fbd1e80ec751d88141a6479d78ee2622df1b96bf1606c0df3c3cb0a7f553b5a8567c30590cbb1260dc8614dda8de49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

Filesize
31KB

MD5
5c544f7d387ca56993a00e0a132a2e93

SHA1
8214c283a1cda735803e8e2b76db9715932b150a

SHA256
5a763e6f6895fb36c99c942c56b2e5860e316978ce61ffb6d5a4599b357eae4e

SHA512
2577d38f631b8061bbc9b73ad0a33b47dc97929ba463141c6c9216cdf1219a278b30ea8420c399d72a440065954a0a54f01546dc17f34fce0151f35de87caa3e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

Filesize
22KB

MD5
be4288d0cf3bf6203139f32b258a2d2a

SHA1
5deeb81fd84ee5038e08e546e7ee233dde64c0fd

SHA256
a0d1fcec293a9d8b1340bbf54194884ef1c7495c3cbe9d4d5673edf2e5ccfb43

SHA512
86090ee2fd2a77f8b38e3385af0189a657583e1ebdce2cf8ebd096714ae2081f9c62306cbc5712cd15475309d8c1ebc340842936afbff4bfee1c148f8626d47b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

Filesize
16KB

MD5
96ce9de89c3e9d3afa2107ae3d30630a

SHA1
0856953bf3b426be54f6759ab1ec9be6a35c631b

SHA256
30f831b5189132d642edfd7cc9e4f44b11ae357652e1748073d94206544d4b77

SHA512
4ec2bd382fb306aac0da8009e9e05e4e5b6b0ef248718415c1e255935d70a4d9211d98adb2992174660f07eb0239c8ac2491734d6c6d1e957b72ea568df6e012

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

Filesize
21KB

MD5
847e9548a2e02e2e4d73f7fa08467e67

SHA1
022e03be3a51aad9b3c0ef950c3eff14d09343e1

SHA256
d537580623ca8088692ad463e8913a83edb50963bd4b3b2b7b579e4e2b3b71f9

SHA512
4c6ddbe465adc27bc97cb684a43b6baab59bbf21b8d8a2bc73d6ae618a6dff4816f139a246558e0b8c49fe7d2d5068f16f19cc132f21d7076d833764aa24f86c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

Filesize
17KB

MD5
8e6fa8b04f177d447f161517548f4d47

SHA1
b39f9c37d1db563aa25298b60bcd5129bc6614c4

SHA256
10ef1bd8a810ee08f601a207ac83a4c7d9ebad1a4777378cf3749e3c56b98c48

SHA512
44137b572237b5b1fea00039d5cfe10f182f20595740e185f40026c87b07d3c05e1eb1fae82f4919c6795a0acdb79dbc9d28ba78d8f16e6dc32a42aeb5b74331

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

Filesize
15KB

MD5
4346017feb0a9b795191efd686b789c3

SHA1
b58d82c54a00fa402199b5efec3bae97c40c0d15

SHA256
3f0c1c8c91696c6ae9c0e41589319d200d2c4bd16cabf4e2f1a11fc947a72f91

SHA512
680172309ba9da0ed0786c7b1bd967f6a3d09e9989d14d85c6566250c83dc2d997d48f6fccf2faccca6548a56ddf39f2d577806f5325e558670442c26607a22f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

Filesize
19KB

MD5
5d9a27ae842c05255f5a6e7f2465ffe3

SHA1
59066ff2d8da1a2f552cf61c484400affab5aa2b

SHA256
573fd644bee61bf85053989c7111be4a33223ce9bfd0ae5f95e05382fa08a1f5

SHA512
b0cb5641bca08c03cbc9e57aa12a06f255f1888b76d32b821561b9217d1d293b6c2d5188acf483bcaebe3c83afeead2aa308b3741fb8a171cc23b8fd472ff5b1

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

Filesize
15KB

MD5
4aacdca3061553326f51b0938232d897

SHA1
6df122a2c6d7d5954915a871494a5333601e5f9c

SHA256
73d85aa2297033f106a0c8c3138efb9ad36f97ed108e040f12348fae94c56f74

SHA512
c74b505b20da653ef68615df221508b76937cdb7956f54c6a07d314283e3fa8b03ee1e14d0d49c0fd6b99c2d8e126678f97645c7ab4f340cd58f1566b4e42eca

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

Filesize
28KB

MD5
101b16272234051204428a4e53b99113

SHA1
f1a08992c63f405838838c26d309a1f918ba312c

SHA256
2dc9ae2d1de175e6b867ff89f84ba25d08dd5f41b84e2818318ca23f3eb5797e

SHA512
bde4deb19594733afd878d8e804787197ab894a3d6c60eda32f393a0445e59eac60240028d20b189566efa34b408b784e01967cd83811f77ac82a9ea6d75d9c0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

Filesize
23KB

MD5
22a06bb57eeae0b3c1d63f0b23c83541

SHA1
a2dda0d44ff38b0b248cde072c95707b183c40ef

SHA256
db062d9d09d7dae751e626bf97138eae6e9350112e2738cb3be9ef78dbdace1a

SHA512
c243228df368d3bec03bbaba9a91c7c966d089d982937ee18c53a2a6fc217b08c029d5b62871b55fd84859a30d60037f013c26966237d1c2b14b6d81e650488c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

Filesize
20KB

MD5
5540d1bea1c41384c0a44be773820695

SHA1
adbb11f9371154d5bb440fc522ea68c3730d684a

SHA256
1d15d738c319132c792ac6f8820f50ccb0fc32597e9c886746bcc31fcce2c683

SHA512
1e870c37493f2ec59468b27320e249422912ddfae8c8a60338e6754e16d809c7572694ca369e0a7e67c6d3607b4262e2455f66ac855b451f6bbbb0e772119e4e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

Filesize
20KB

MD5
78e046bd9c5524eae4c290c5f1d8d090

SHA1
0200b5c106effb26fab84e8b432725f626cea9ca

SHA256
767fd247f1f93cac6188ba1a0c3398b87cf3178e25ded4a16ced7e9bb3cd27f6

SHA512
073ce96951bc1a95d31eaf4a6d6ed7ab7e876847d88b6ce38b31cdb0fb28a6fe093999010c9a19fdba6acd87c1a6e1ebf6085448122ebe6a97b9015cd904715f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

Filesize
18KB

MD5
b7412f3a46a112d74783b105c5cb0638

SHA1
408a73cdf57ced4256526e5c699699a2fa089086

SHA256
223f17f84d214c9fa9478817eff65a2681d505dfbfb6b81a2121e446e9614000

SHA512
afa565f67cbd19789825f378c1fa7d468b6b3018ba574be2a225774e26a31c35dcee18eefbbfb163e1687420084a52667642c38b68fe0695b3294fd480386f62

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

Filesize
18KB

MD5
cfbc57e6f8b07ab19d0a2658cf790306

SHA1
4f90b9c43645e2370040f40e88ccd48628a7012f

SHA256
1e2fb44e0be817b5e16a03a30502c65f61dddc551bd3923ea571e3f83980e049

SHA512
f4af36cff89378e138ccbcb58ccb0204bbb059097dc5a566368c3dea7f7a1fac9a4a174a9e84b221bb83df0d5b3ef7c04160f9f63106cff8db859321c803b3e8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

Filesize
17KB

MD5
564e96072345c9f3f4e96e32d95108ec

SHA1
4f83114c167c77253870f837b83db806ffbcccdf

SHA256
a8e90f1f01264ac52e7523394777616d06a53daaeb16868f3e8a06426fc0e586

SHA512
80d0264ab8d51347040296c758d6fe0282442edde39d20115ff632770eebe71421661cd23c3a8d200197109f2507e5e72197209417c5d10beef182004a57ac49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

Filesize
28KB

MD5
5e189d783f6f603161b85c157ac6c0d4

SHA1
4303565e26f06b5ff9f6cbcc889ac5ababb8d930

SHA256
09e1973a0286c5912c7f233fce89b2efd9347efdd085869437d9fcbe69a5c5d7

SHA512
2fced12cafea173c86c3f47a7be856b9d4971092881056c0150762e885277adedb1233352d376fb3690951079f5d6a2d1a8643531dedc1006a678c0d7c145f94

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1

Filesize
30KB

MD5
5e6faf3925a572faab69a45cb05e8352

SHA1
bab071428238635e6290fa2741bd63cc803d73d5

SHA256
16b5df14198360715d06a5f12f2b1976d38e729bbe37748e0cbb17f57c4f367e

SHA512
453f3b6a672a521fadbf7966cd84efd011fa6b9186a08234c3ded39e43e898ab0a48229bb46661710c16dafbfd889ab4c45fb34bc0fa01d4a30122a8ace7f478

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

Filesize
16KB

MD5
e26dfd45f80e72a07d8cce6ce2692b28

SHA1
7b97a013651daa86133cda74101d643e96fdc1a8

SHA256
dba9b9e9329fa5d918b1e941dbfed9363a616033cdfcad4a0c60af9c41c4c4ac

SHA512
d7ba6a76b53df979f923fd819679e2a15cdc4a55618a26cfdda8f8455469fcc319bc502cdb77d602ced1d498386626d891c30326de96538be240069e9dd54aaf

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

Filesize
23KB

MD5
5e5319e30be55a660e75a5bb04219ad5

SHA1
8d7457acddf8257c6c9651e3480bf4ee72699361

SHA256
aeee93f35724d656a73d1572522fe9b985fa1cae6978b0405398ef9327a1580d

SHA512
80534b6a71b8d0a216ddd13556046c86275df088208861c6f5ab0c88301a785ae2eb685266892381d47d2b3ecec25accd476377be146c8e51cced57a0aa10d63

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

Filesize
22KB

MD5
65469f9f27a5dbdef060a0560aa0db7c

SHA1
fe49184d2db322a919513c9667625efa9009a632

SHA256
3410aeb9bc5106b29f2c4cbc74c9febdc229c569153ddb1e41188a7396079a3b

SHA512
8b6ba9ece1f8f53f0e5710dbb7330bf2dcdc8e8f844627bdf54670fea9040bc3239b1673291f1682a5bb404cf9d11e9a1732a1c5484bfb05b0f77db6af3138b5

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

Filesize
22KB

MD5
e0e54825bf32d160b62c691d2f314611

SHA1
6e89de9aec3f94c6e046fbb04be28e33a8fc8732

SHA256
4e982ce84c225c6870cc78120e5f85fb622756feff4c7e8eb7088473a2538620

SHA512
6f6d018cd2ab86553746027953439c8c7f1251e5a4bc7b8514d8416babee69d8ee8c7c7698b4f1bce4f2fa815a35ebcbf5bd81580b629e5b2bb20481e9020166

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

Filesize
23KB

MD5
7cb49e4054a7cc234f428faee99d0ace

SHA1
86acfd18a8a274fb4bd0d745a23b501016851b6e

SHA256
ddbdd5abde46f4aa7d5bd472f3d2b1182835a6739c9194aac70749c4bc1fba4b

SHA512
86e27a5a58736ed0c0c2fbb11d7c744fc437a195f768ea223817eca6b4225b541e6ed554a2d9e27626fda793603d1a41e6ff52d39af060c4ca1eea557a52789b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

Filesize
16KB

MD5
05ee41715ae0ccd260cb385c3727d607

SHA1
afdbd2d4a0fd050d20af8e107b2dadddc45ac49f

SHA256
dad0ef31eb232c6c189e0ad947e62e71c5239bf2dad8f9d72a06cf3544a427a4

SHA512
1314234805a0b1048e97a5644c4084254258d9a525fd3175a893c4b0aa37dd682e13bcf21e13355593b4ade7e823d190ca695b4edba04f3e5136d65fbe856dd4

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

Filesize
15KB

MD5
a917ff0cdf22fe0543dc06713d9cb160

SHA1
efad7626fdf18230a8f9a2e6e0e9df7639d3b600

SHA256
fffb05319b00efb87d2705760ef351c11ad2b1913469635b980d386310bf0e1f

SHA512
505aa2b2559511bbae8124ca4898e003e6b494a3e4db7b13231d1007f23829c595dd1cf953e50bc67e32ea4a967bcd51971625be9ffc8757f57f75f6e106c6ba

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

Filesize
31KB

MD5
1de230e139174065c73a46f5917f27b5

SHA1
80e19d04dd84da6904b696e4a1caa93953eeda86

SHA256
694c4daed9add47d4ece4bd07568aa57dbc1f3316426f78ce5fd1ef2f2ce2625

SHA512
93549f700b93115939075a9bbdafacbd2500d8c4c02a3e0312bb0823b09850a8575e2ad8d8b6c4dbf62838e2f383bc94321965b45af73b552797100306d6d2f3

Download Submit
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

Filesize
16KB

MD5
bce016992a8576f7a481c6d2962e0879

SHA1
4a7a84db35e3a2d43d7aa0980c0342dd164a16e7

SHA256
599ea45533dc1ab68a9646c6a88b71f4fc11a8669fa3ee8f41360435ca8816dc

SHA512
4dc541851496a407a26674bb302bc3b624fb9d6e581f1ee61dc34daa0d031648f02b5c2fcc7a0002ff96becfa75264635933a503f570ee425d418a22ebd50a8e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

Filesize
17KB

MD5
56afaba9f733028dc1d8e03e21be15dc

SHA1
fd16728498a14961a97ee1a80b9ffa3f3bc3b6d4

SHA256
f706530f0cdabb2f02c9d5b70d7de77d1f02fc4f6730c815ff8410dcf208b9fc

SHA512
54090832d0d6cb1439986190da356c7cd5caffa052118185a6336c0d73f87b937dc5548603f843ab2e5302103ced01a2a9b1f409c4057db5e1aea4a5c7c4dcf7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

Filesize
16KB

MD5
f3d779698e09e13fbd55f0a5c6914616

SHA1
44eef7c9b8563cb5d7489abbe6f5158484aefb64

SHA256
c20b736bce859734c4497c6d5aaec13bfa3c201461cc02f48a7539fea54be59e

SHA512
ab266effc4e26d5b04a3a5693e57f979c780a6d7590bc27090225cb44a831fb7a2396540323a70f6456cd7806e00e9738dba866b0bafdfb0226a962e38aca0f0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

Filesize
20KB

MD5
bbd9b99d0ab44f6e4a9fb80d6f3a7afa

SHA1
f3a980d5493597144fdbbaad86f5207c2e39e08b

SHA256
07ced451a144a7f6e3fd24d19bfcb2e2a5ea49a969a036754cb833dc2d2986cb

SHA512
06ba6cba2290e4bb6ff3adb09961a260ce811f25a97a2cef0cac7b25e94fc3bfa177fda21b69f9f6ad62901578f16d9716eefe60dfd76cdc925eadc7a730d14b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

Filesize
15KB

MD5
7fdc886cd1db91065a017a76c9096aed

SHA1
6029f809be8ab12cbe0f25552b25fcfc757dfdd8

SHA256
117e7bbfd11da2f5bd00f66aa004837dd774485e96334fb42b8ac537f4fb012b

SHA512
d5eaa0cdcc09a0673320a1be26e628e067182ae93b9aded6cf275faf68fba7bd6002e1d446bc9b8e9377221de4611058ba32fdc6b4fcb2e53795c3e202c828b5

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
1KB

MD5
75cbc03013efd761d5fffbed1da0a9ee

SHA1
dfa0ebc54b881930fd7502f0dbe52401f69d4ac6

SHA256
0f2bb33cdba4014610cc83f73ab52279a160266790262701b4a8a18c2e137111

SHA512
b68aa7abe4b373336102994a0b640c2cf41ab16073767abd51b59c853e7e720605ba1158e92cb7d06d4cc6c0589093a1ad4730b88a178a5c99ae85d02c8779e9

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
2KB

MD5
4631b054d4bdef595c24752364e626f7

SHA1
081888d9959cb4851e8f85b1f5227a1866d442d5

SHA256
2f999b5194dc38dc4fe74294b4788464353a9720032d6302d8d38b98c1ba5386

SHA512
0bc9d7d4455579fdcccdeca59f2b11d2e346ad3b1752d7274f5858f602988f4d571024d59f8a68d4476ea4d4ae37fbd4136da8396a79d6d5926da8bc88efe494

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
3KB

MD5
e74b535544889f440888ace4e58a8d8e

SHA1
2146467ef3a059515c72c434ed4d147def01d3ca

SHA256
615f7ccde97fff83f7e2ed2e719134fbaa7b2596d230e72c36179288081be7b8

SHA512
0d0a0f85c4b232c53c2fbdff9f42d3f51fbd33a91fc6f105591b9bfe8a45e899a5e606484112327dc1180c833835f1983e63ab165f4684066a8830edd310598f

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
4KB

MD5
763db6d69a578b9770b43219f7768659

SHA1
e25b076a9b597e46651fcb76d8c0a53a26e191f1

SHA256
2105e096af53094acfeb96dfe07685c3fb012802d252560196bec81896e6f521

SHA512
36c61edc26e2f0d37139fa3059c80bf260dacf93995df4ee37cdf76fa14b80c61f792ae462ce59dc7cb580a1459acca285bf6590b01b0998ee3c2fd2d7187e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
be8e142fb599b30e20ca75eea74227c6

SHA1
feb38e7012cece246e774110ddabdc6c869399cc

SHA256
3430a617e8f8c51037c042b5ec907078ab1decd554911631c2d8383ba29c3190

SHA512
2c504c550ee2c5cdfca9f6a692f4e2eaedbd688f36fcf2183dc9c266af818c7edd320e19b4386b73c7c61cb6cae852caa4394872f7b216b13744fc75d22c0cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f619b1dfed5680a0a3df1e4e6b3db66

SHA1
27317a137f623b5b8a8f7e5ff645a05c1ca6f4bd

SHA256
2f19d69e86317d588103cfc259a7720016ad8135fce8f5dbe5c683226abdb965

SHA512
092cd464f8354797aa1bf3ccedc1529faa75889ed186804caf6127e99589b55ac58e68801539c57159e92b7987b9d9506aa3690630ab4931b986236fb02f66a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
34b49235eba7601e049a1b68fbd8a516

SHA1
545ec4a3b77bf9be67beedfc804803b799efab73

SHA256
4d1c8dbec0eff4ac0ce6a5e17e8ad0a7326394b579379ef828dad42ae09d8380

SHA512
4b159e2dbfc14ba9f2654890c11bc11b8ada06aa78218665b2530ca08edbf63de5d404839b48318a6ff43ced137d470ad1a9e38b24516fdc788d3973c84779b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a72129ae9452e30c1655864a4734b97b

SHA1
6d765ecccfdc29ca3d164809663751a4070da308

SHA256
087e69688f153a7fa20f0b027cf69b0157860acc8e3e1f715ba25435cc5539ea

SHA512
0521509d716301a1cd3513d4f2c0b47c5fa40d504040e2bc73c3b14c6808b6def6f8a9cd835b793cd34a272e0fa63d23759762347c81f056a5ba01509d1ca3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
feadc4e1a70c13480ef147aca0c47bc0

SHA1
d7a5084c93842a290b24dacec0cd3904c2266819

SHA256
5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

SHA512
c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
367b1c81198bfdcdba813c2c336627a3

SHA1
37fe6414eafaaed4abb91c1aafde62c5b688b711

SHA256
1141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced

SHA512
e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0ff7e1af4cc86e108eef582452b35523

SHA1
c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

SHA256
62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

SHA512
374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_inqhlqjd.1gr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\chocolatey.zip

Filesize
5.2MB

MD5
06b6cb82e38991c8c4559f0b1b611934

SHA1
dc6807f8346f9874959944ed4651b0f5b4e4ea9d

SHA256
f0792952193b606c4989288e67272eceaa2378ee429ccd0660128018435e6112

SHA512
45ec7b30be372cf53502e655c6765908100a518403e2291ce62958353490bde91cf3281b4ae2c776d4e185fa370008367046865eff9d9a156fcd153c915369be

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

Filesize
54KB

MD5
f83cad2fd60c8481cc758247cd3cdba7

SHA1
51ceb9559258dd0fa7472d4398858f79ef92377c

SHA256
869c97ce5da39cd5a8e022ff8d699ae0d0475da92a86785ac272ea56d11e7dbe

SHA512
41d46143f4ddbf68e0331b9eb1ffefd9efac6fb32fdc216eedda47da441313fe8f4f36b5667701f4d4dc3222c7f3b921f7a3aa9dc09d22a3893d9465ee0123df

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

Filesize
670B

MD5
b4ecfc2ff4822ce40435ada0a02d4ec5

SHA1
8aaf3f290d08011ade263f8a3ab4fe08ecde2b64

SHA256
a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a

SHA512
eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

Filesize
2KB

MD5
1b3ed984f60915f976b02be949e212cb

SHA1
30bccfed65aef852a8f8563387eb14b740fd0aa3

SHA256
d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc

SHA512
3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll

Filesize
31KB

MD5
1f8e03373a87f79645d3d7afa39489a5

SHA1
2c4209f3fa7efe647f6a55ed7d0d2a6d5f3691e2

SHA256
b1e699256807b960735d9950422415e305a727f5189be85aad3cb2a88c0cea1e

SHA512
2f564bde6fabd2a9e20306aae1c28ad54f0699be377b8be5d345b4251551d5891c1bb1351c2066e2937ca406d9850435c21682f538ed43a6a661ab9f10600fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll-help.xml

Filesize
58KB

MD5
4aea8ae4fce73819e9ed3f0d1ddcce15

SHA1
9929df74840ed8bba92cc143856e6bade4e74706

SHA256
dae3916c3cbab1e4fc6ec9afb052d878dfb6df4430b1cd7db2fee836f9fc0dae

SHA512
5dda75da0f69a45203144ab596a3234dc0db4b713d7460aef2ff0ffa541bf0aa6a2f0fee2028755a5662d5d9c76e5101e3a181a540340cc3028498aaf93442c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

Filesize
30KB

MD5
e9560a5db604a37892506434cad8da5a

SHA1
764dc0254f2fb547ae0700056d0f21edbd26cdd5

SHA256
58528e116d09a434872a38eb3b9dd125216fa29a493b795f49cb49a4c8bf2e0a

SHA512
ab839d9f681c45ae5dac4274de0981f7a90e33e47a6b0b1925aac9f49bae022e88283dc65e7a7de6b3a02edc28ec0cfeb63ecc8dcab2e7dfd8950f49ab695631

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

Filesize
15KB

MD5
0637a9e7b868959a070b0cf2693178c1

SHA1
271a52fa8d36e93e9f36ff8b454243ea106a680e

SHA256
ed69cde7544efe46ecbc66b10edc55140e49cd2fa17f5ccf0e214d769e3cad2b

SHA512
7c8067f7fc9e09ca36cd098c10fb52dc3b33be053d70c1666f418307adab85e4226ceaf15b893a7f9d37c832ed55bf0ae586390d676dba873ed2ec0b900d1bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

Filesize
17KB

MD5
0870ae75b1d8f0823ad8bb05bbdc90df

SHA1
9f6a23ac198321235d3d0b1ef1547863fe7c680d

SHA256
859cfa5d9dc747a5bc5651331977beef2177cf8335a24a8f0a26d7965fd66944

SHA512
3bae1a9c7a7610ec86c5187de2ccffd295bd0d054a86000fe76a5d375842b98806a6d4f227dda5b0ab289b6365d664a2c3e55891add3e5cdc22efb75a410894e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

Filesize
4KB

MD5
cc04b34e013e08cc6f4e0c66969c5295

SHA1
a33f1cb08b56828e3b742ee13cf789442dd5c12f

SHA256
8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c

SHA512
b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

Filesize
143KB

MD5
1bd9360b3a8f5f981a3b445bc1cd22d3

SHA1
b50211b0180060a59eb8d997199052bf6c2311e5

SHA256
a4748bf9b22da77a21e0b3748ccc4a7a042a6c672f1235503611c66442469ffc

SHA512
a70608ef546129a619b52a733d585a474d2c92498a72eec767f09a53198dd33f7d73d5b2a74963892d7a1ca3b25fa806b89129c776f1c6e0b701e5331e81f962

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll

Filesize
1.2MB

MD5
a1a9b229e66a8a6a66588f170029a9e7

SHA1
eb4f3e3cd35a55e8f064512802e72b06d5ebc7d9

SHA256
07f88bae90a4c49e200981445d78683c5ef21ef71bb6927fa7cfd59bca431e80

SHA512
c647dba0743a177c4efe01cf321d66669c89fbc5d8f448c33199e6506244da8b69a512c7319c6fe33efd2d43544171b612e7b094ab7e68def7004faa972580fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

Filesize
513B

MD5
8f89387331c12b55eaa26e5188d9e2ff

SHA1
537fdd4f1018ce8d08a3d151ad07b55d96e94dd2

SHA256
6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033

SHA512
04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

Filesize
339KB

MD5
96b85d45cfe551f87e5f141ee18bf82e

SHA1
3b21a8ec46a782bf407174fe6f328ec4649fb779

SHA256
8b9f09e2bcaac9166a0f87525864f29c868f2cb8b779ca6d3d63b93b388d5c89

SHA512
24e9de5502929d9104411e7f465327998a8b997de46670db6a8f009755576b93d93e90f6bc08fd7406c9e37859e24b54227dac610ddddde152073aca0e5924ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

Filesize
3KB

MD5
f4995e1bc415b0d91044673cd10a0379

SHA1
f2eec05948e9cf7d1b00515a69c6f63bf69e9cca

SHA256
f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b

SHA512
e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

Filesize
38KB

MD5
d064de30ba9cced9f31bea6f2b11c06c

SHA1
4473898bc847590624f929f282376b87ebeaf53b

SHA256
6674288a105adcfbe0413689a690d4fd917f926f49c0b7b00b94b7b7eb2badb3

SHA512
8bd442a25f2dde4e79aaa525896a715ed556cbe68bdb3faeaecbbd5a7977b6dbe5416f1bdc8124551760176786323b4a28c8b40ce7448146c23ca097ab9f2c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

Filesize
150B

MD5
e9ad5dd7b32c44f8a241de0e883d7733

SHA1
034c69b120c514ad9ed83c7bad32624560e4b464

SHA256
9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a

SHA512
bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

Filesize
95B

MD5
a10b78183254da1214dd51a5ace74bc0

SHA1
5c9206f667d319e54de8c9743a211d0e202f5311

SHA256
29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62

SHA512
cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

Filesize
555KB

MD5
ee77f1a8c714642a9e52fe245667774f

SHA1
49535947065360b7fd6dae1bcf37409a01018fcb

SHA256
858669c2958b61e95fac3c82959f1888e769b21a93604ea9b14b7d73c2a16fc8

SHA512
9067ccb78bdc25e344a09e2f201430f9a761b748b610046528af8655935ca831009cfc4dc6b28376075a401e45bfe41742ac0e673ee0fd75cc3c5784420892a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

Filesize
3KB

MD5
89ac7c94d1013f7b3e32215a3db41731

SHA1
1511376e8a74a28d15bb62a75713754e650c8a8d

SHA256
d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4

SHA512
9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
168KB

MD5
6295adada50c7bd12469950fb153170a

SHA1
29935eec6c746a8894635ae7a61d3ae0f57907b1

SHA256
d529287d4dc233b6383311a89b185c8b7140045a5b2a6a56fba8dbc8445251b7

SHA512
3f4c300ee893dcd45cd223d3b77cd39fd835230ace546718f9a6b77e6ffdfbe43cfa5c91cf5eeb7d9ec4810b8c6bbe0fa02912638ee8b71006e21f22e2b579f4

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
169KB

MD5
085eacaf521010da952667a1fe32bc25

SHA1
80b8aa72f31f37a6bda3c956b6af77495a4d79e6

SHA256
693cf87d872a19326f5e9f7168856f7d486843ea2f8821ce9da8bdfca5ddbcd1

SHA512
0e4343b5b066ff2577e8c09932017785c9e49164c3fce81b99b53d435e31ccb82ac76882214d14bd85b34f1f7d8a71273fa165135ae91accda772fcb44fd3c64

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
170KB

MD5
8e5d6a5b2a78fb1b2084b3c3de33ee5b

SHA1
da06c43f24e509e1a86618fd0063a5c4ebad18ab

SHA256
86355eb0662b54da1ef7f784b3275355fc8cb30f2c6493d5a78fdf88843a9e46

SHA512
c834baa8b45061f8888187ba70238e706112900f4d5145af1334434af9e1969ac96a7699e88e1d9928d42308b693ad159e446c3407f7d128410ba9a771286306

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
171KB

MD5
002ffd1e8a26f22a6e1bb32b6bb0a3b5

SHA1
148a632de67840da31b2d95c657edcc056bc42b3

SHA256
a204dd11687b1e373978fe1b1708be3f5ae2aac3a1ab405db8a6db807ca0546b

SHA512
04d95e484e9d30214e47c289ea08c081f281f41e8c51ad90deb310cddf5626c472c4c133ee3c77526cfe2c87ed79fdb343fde3bfb464a3a8ac0a1e7812fcf3df

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
172KB

MD5
12e87b24460d39ec4f49fa3e02a7257f

SHA1
83ad832c1fed06500c82f0ca4f7c03761c0befc0

SHA256
31e4e91dcffb04e55eeff0ea329b8a7fa2170eb8fb777f09470bc80d0a97e144

SHA512
239f3c993ab8f4d8811183f406d2783f16e44cfb059458d49bfbe7e6ae9c8e60aecbb40ce9456ff25a8842bb8ba07cc52a45c7b49f23c9f809cee75796b8bc24

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
173KB

MD5
9c45d1d0bb549c579b5d02beab19cc9c

SHA1
9402543dca1fbc3f6c867fa561649a3be3364f9b

SHA256
61356c16f99ff826a9a4578667fdefcdc3e4426da9934f9bfccc6d0be4acb539

SHA512
dda451ad77c35df5e022b4c5a5444a6dd2206653e693e6b7392e3be05cbc1ece2b0f10822fc1818af3380b6b6cd6103a5989c1b5e9732c732c5f89e3263d4f5d

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
174KB

MD5
3e849c8325ba498474e00be7d42d5aa3

SHA1
09f7957c1d20b086b74b41a443f1e4f1ab8cde81

SHA256
fc4a2ed865b0d59f84c027064996988314cb9beb208e9f2db2fac8a04c0045d3

SHA512
0b207b57fb9572f2902fc1359a8b1cf577413c83d1df0b8bf0f39efa7563c8d499c4f0cc13989fe1b099672fdd4d82d2a02e45d820b6b7763964ce4bb82d7955

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
174KB

MD5
a7b285303e44e1eb19988ac26010d286

SHA1
b7258cd30f61342cdd2d28ea79b51aab4920098a

SHA256
89787978a2a4a61c8ea685783ba9d90017cc4aece9e21767c58ee18fbd7daa14

SHA512
fddc42771396227c0ed8b64425d74472de8c577f7d480fa1c6eb7cc734590924c5e85bdbeb958cae3f72a070ee36bbdfcfb3fc2fde028dc405a53e8f650a2e3c

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
176KB

MD5
b394fec798051fa6a4b67d5881e0a45d

SHA1
6bd65f8314b0a57b3d7b0ae211713aaef41f8e2f

SHA256
04cafb47068861d03daebe748d519e20cb7fe99257b4448ce0648cf0f3a3a236

SHA512
1785bd71a5effbe848ce11c7cc7a90b4bfcf9988dc26a3448faa767a5223fb220e0bf5e6fe043fa8c12f789dc4759b5163c9421c9522606ae1926c2c3122ed98

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
177KB

MD5
e956873592f876d174602e1defdb80a0

SHA1
ad68a230d4cc87bdd8a964327151f486176c7e75

SHA256
854c6914f1d5d77ea16926c09cb61e6409c43bee17317a3ebf0a9e28d497cd3c

SHA512
d172c83cf4bb1bb8fefdedafa167438c12987d13ab80f08ff734928d604b8f20c07910f2c1cf92ce222f25d90f651a8ce99d3663d39fcc7f9fd9c5bc4b8d5f48

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
178KB

MD5
47e5c72cc0fe70b03ce8a30466cbf9c2

SHA1
dbe656175ff0dde64f192c70dcd04770ebb3b430

SHA256
06f10cc0351552a8c4946ab0f86870fd50428ea980ead8ce6b61d5ab00332817

SHA512
7afc27231f7fe307fbb9f966434274dfbcdece78dd680ee25110bc33346a2c7c247f84acc4a68a963065340a4d1502eaba29237a6b39c01c18221b5032d2d550

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
179KB

MD5
c095f99c232ff40082987d61175c57fa

SHA1
c2b4137f8b5d164319f4c26db89086daaf1b1dfc

SHA256
34e829059bf23b7e505d8db445442e06e652d0b9494b1e3fa8de7802b7c6ac49

SHA512
f8a283aa0317c386f482542258157d7e57011bb1fed343953771e2b9e77113b8c5d109302b1a9e9ee2a5932badd9c81d36afb3916d25750e1304ded47761518b

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
180KB

MD5
3af8c2dee7f30b83e5b91148f7e7438b

SHA1
806ba9d4f8b415e0f968a113bf5a2fc33041bcc5

SHA256
6fbc97b5bd57b1280c0ad89dfad5edcb9e1af1c5adab4f6874c8adc355cc7c44

SHA512
f1d11d49cdf2a48be63512ea5dd4112bd449005d5d5ddba414fceb1023603a235f7a94a107d667d8de6c45beb2a5618b9f0e938f62cbb7bee26e370ad5cf38bf

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
181KB

MD5
19f63d9f9ac751faa5178aa60e3aba8e

SHA1
5ccc5ec7baa2fe0599ef65d62a586e34847c1622

SHA256
1115af43314f078f5b993fbe826271185607daa1d9528742a84f94ec9ec1560a

SHA512
c4e9c539b24196389f125409864c245f51e035d4cc49045fed4595445363249fa9d4d20791f0507a188382701898de334cee7d9e074a2ff32c53968e24217e12

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
181KB

MD5
a59526feb72d483680ba658b30e546b1

SHA1
8a5f66c954a319597f92fbcd912c13a6f1a23d44

SHA256
d00b38e2b786fbdaca73480f63e44c1859e06c0afc59076134aa3843779d0e81

SHA512
509157f004fc0a0e083663a06e75731feb29bc44b38cdf986770fa4fae322e150178d359f7b5dc3a0c91dfe2dd068ec1be8558eb7794064a1140b4fd62a5124a

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
182KB

MD5
566646cd185ad0cac15762a123b0c752

SHA1
873804ecc16be18f1131bf9e373cece9aa1dca07

SHA256
ff3e87171830c27553cbbc8c9bdf5eecce3901c35d871d85e2b5f9f32e955567

SHA512
2f134d7e1a4382deca08938ca72bd8d741c3b2ec13cc6bf18a88997d30c81aea43201fc93a7495007de19d277891f4dbe600f33a00bb2e80a1cd79f9be7b89c7

Download Submit
memory/3176-468-0x000001A97A4D0000-0x000001A97A546000-memory.dmp

Filesize
472KB

Download
memory/3176-431-0x000001A97A240000-0x000001A97A290000-memory.dmp

Filesize
320KB

Download
memory/3176-469-0x000001A977920000-0x000001A97793E000-memory.dmp

Filesize
120KB

Download
memory/3176-418-0x000001A9768C0000-0x000001A9773D2000-memory.dmp

Filesize
11.1MB

Download
memory/5040-13-0x00000291CE0B0000-0x00000291CE0BA000-memory.dmp

Filesize
40KB

Download
memory/5040-186-0x00000291CE0F0000-0x00000291CE0FC000-memory.dmp

Filesize
48KB

Download
memory/5040-12-0x00000291CE0D0000-0x00000291CE0E2000-memory.dmp

Filesize
72KB

Download
memory/5040-1-0x00000291B5B30000-0x00000291B5B52000-memory.dmp

Filesize
136KB

Download