Analysis

  • max time kernel
    52s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    18-04-2021 18:11

General

  • Target

    09F2B5D6519152493E6E5DE0DC3491C4.exe

  • Size

    23KB

  • MD5

    09f2b5d6519152493e6e5de0dc3491c4

  • SHA1

    2ac089761acab44a257648842595e5104fbeff4d

  • SHA256

    c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b

  • SHA512

    80ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1

Score
10/10

Malware Config

Signatures

  • Turns off Windows Defender SpyNet reporting 2 TTPs
  • Windows security bypass 2 TTPs
  • Nirsoft 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe
    "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe"
    1⤵
    • Drops startup file
    • Windows security modification
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Local\Temp\9b12884d-98a4-46e5-b4ac-2abd4dc20bc7\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\9b12884d-98a4-46e5-b4ac-2abd4dc20bc7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9b12884d-98a4-46e5-b4ac-2abd4dc20bc7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Users\Admin\AppData\Local\Temp\9b12884d-98a4-46e5-b4ac-2abd4dc20bc7\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\9b12884d-98a4-46e5-b4ac-2abd4dc20bc7\AdvancedRun.exe" /SpecialRun 4101d8 1352
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:684
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3144
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1860
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3452
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Users\Admin\AppData\Local\Temp\f292d7e6-3a26-4dbc-b572-8f55f38d9ef0\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\f292d7e6-3a26-4dbc-b572-8f55f38d9ef0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f292d7e6-3a26-4dbc-b572-8f55f38d9ef0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Users\Admin\AppData\Local\Temp\f292d7e6-3a26-4dbc-b572-8f55f38d9ef0\AdvancedRun.exe
          "C:\Users\Admin\AppData\Local\Temp\f292d7e6-3a26-4dbc-b572-8f55f38d9ef0\AdvancedRun.exe" /SpecialRun 4101d8 4904
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4972
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5100
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4832
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5148
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3796
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5380
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:6376
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:6416
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:6472
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5916
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:6452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:6428
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
        3⤵
          PID:7268
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
          3⤵
            PID:7360
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
            3⤵
              PID:7456
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
              3⤵
                PID:7188
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
                3⤵
                  PID:7196
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                  3⤵
                    PID:7744
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                    3⤵
                      PID:8472
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                      3⤵
                        PID:8612
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
                        3⤵
                          PID:8544
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                          3⤵
                            PID:8968
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
                            3⤵
                              PID:9144
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                              3⤵
                                PID:8992
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                3⤵
                                  PID:9668
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
                                  3⤵
                                    PID:9748
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                    3⤵
                                      PID:9832
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                      3⤵
                                        PID:9824
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force
                                        3⤵
                                          PID:9600
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                          3⤵
                                            PID:10036
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c timeout 1
                                            3⤵
                                              PID:4208
                                              • C:\Windows\SysWOW64\timeout.exe
                                                timeout 1
                                                4⤵
                                                • Delays execution with timeout.exe
                                                PID:10352
                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe
                                              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe"
                                              3⤵
                                                PID:10488
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4112
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4232
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4372
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5052
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5092
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4160
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5628
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5668
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5748
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6100
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5960
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6040
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6820
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6864
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6924
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                              2⤵
                                                PID:7240
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                                2⤵
                                                  PID:7312
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                  2⤵
                                                    PID:7392
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                                    2⤵
                                                      PID:7184
                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                      2⤵
                                                        PID:7920
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                        2⤵
                                                          PID:5320
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                          2⤵
                                                            PID:8860
                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                                            2⤵
                                                              PID:8908
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                              2⤵
                                                                PID:8960
                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                                2⤵
                                                                  PID:8356
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                                                  2⤵
                                                                    PID:3756
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                                    2⤵
                                                                      PID:1992
                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                                      2⤵
                                                                        PID:9636
                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe" -Force
                                                                        2⤵
                                                                          PID:9708
                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force
                                                                          2⤵
                                                                            PID:9788
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c timeout 1
                                                                            2⤵
                                                                              PID:9508
                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                timeout 1
                                                                                3⤵
                                                                                • Delays execution with timeout.exe
                                                                                PID:9444
                                                                            • C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe"
                                                                              2⤵
                                                                                PID:9436
                                                                              • C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe"
                                                                                2⤵
                                                                                  PID:8600
                                                                                • C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\09F2B5D6519152493E6E5DE0DC3491C4.exe"
                                                                                  2⤵
                                                                                    PID:8556
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 3324
                                                                                    2⤵
                                                                                    • Program crash
                                                                                    PID:10308

                                                                                Network

                                                                                MITRE ATT&CK Matrix ATT&CK v6

                                                                                Defense Evasion

                                                                                Disabling Security Tools

                                                                                3
                                                                                T1089

                                                                                Modify Registry

                                                                                4
                                                                                T1112

                                                                                Install Root Certificate

                                                                                1
                                                                                T1130

                                                                                Discovery

                                                                                System Information Discovery

                                                                                1
                                                                                T1082

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  5806d8e44e28e9c4d2a9610721e19157

                                                                                  SHA1

                                                                                  4dad56be99b6b515c260a48f69902b9e8facbc47

                                                                                  SHA256

                                                                                  bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

                                                                                  SHA512

                                                                                  b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  fbb8f89b428393287ff4a30424a0b6dd

                                                                                  SHA1

                                                                                  22ce47d0d3b9990e2de45dab63536954d12abc18

                                                                                  SHA256

                                                                                  5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

                                                                                  SHA512

                                                                                  cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  fbb8f89b428393287ff4a30424a0b6dd

                                                                                  SHA1

                                                                                  22ce47d0d3b9990e2de45dab63536954d12abc18

                                                                                  SHA256

                                                                                  5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

                                                                                  SHA512

                                                                                  cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  fbb8f89b428393287ff4a30424a0b6dd

                                                                                  SHA1

                                                                                  22ce47d0d3b9990e2de45dab63536954d12abc18

                                                                                  SHA256

                                                                                  5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

                                                                                  SHA512

                                                                                  cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  fbb8f89b428393287ff4a30424a0b6dd

                                                                                  SHA1

                                                                                  22ce47d0d3b9990e2de45dab63536954d12abc18

                                                                                  SHA256

                                                                                  5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

                                                                                  SHA512

                                                                                  cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  fbb8f89b428393287ff4a30424a0b6dd

                                                                                  SHA1

                                                                                  22ce47d0d3b9990e2de45dab63536954d12abc18

                                                                                  SHA256

                                                                                  5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

                                                                                  SHA512

                                                                                  cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  f1ee15d9d7e813a07f420b9ff7217465

                                                                                  SHA1

                                                                                  eddb1c6167ff8e7cebdb42530f9aea20de9807e0

                                                                                  SHA256

                                                                                  f0cebcfa646f9b4552bcbac0e621479fa0eea8f0c242a072df7d6dca1655ca7c

                                                                                  SHA512

                                                                                  319eef01c861d43a5ba661ae350222f6b78e52e8dfeb54bf896aaf05aeec804685e066fdc8a6309be00ec786356c7fc327ef13bf0de58e305e7c7e7e486f7231

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  f1ee15d9d7e813a07f420b9ff7217465

                                                                                  SHA1

                                                                                  eddb1c6167ff8e7cebdb42530f9aea20de9807e0

                                                                                  SHA256

                                                                                  f0cebcfa646f9b4552bcbac0e621479fa0eea8f0c242a072df7d6dca1655ca7c

                                                                                  SHA512

                                                                                  319eef01c861d43a5ba661ae350222f6b78e52e8dfeb54bf896aaf05aeec804685e066fdc8a6309be00ec786356c7fc327ef13bf0de58e305e7c7e7e486f7231

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  689b2b93bafb688556ea91e85d0083a7

                                                                                  SHA1

                                                                                  69288a8abf423a4f79116ca4052fe2ee9b4fe814

                                                                                  SHA256

                                                                                  f8e396eac90ce9082391e7c3ce0213f3c822a0ddae5cce72a77d35f23f67d38a

                                                                                  SHA512

                                                                                  8bbc3ea434169df0ebd576995668bc81d70a7555930593f47db03d654ca9f9b9c26a7e6420b1197bcfdb9068bff55384eb57dd71876725ec7c5d150dadcae091

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  fbb8f89b428393287ff4a30424a0b6dd

                                                                                  SHA1

                                                                                  22ce47d0d3b9990e2de45dab63536954d12abc18

                                                                                  SHA256

                                                                                  5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

                                                                                  SHA512

                                                                                  cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  fbb8f89b428393287ff4a30424a0b6dd

                                                                                  SHA1

                                                                                  22ce47d0d3b9990e2de45dab63536954d12abc18

                                                                                  SHA256

                                                                                  5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

                                                                                  SHA512

                                                                                  cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  fbb8f89b428393287ff4a30424a0b6dd

                                                                                  SHA1

                                                                                  22ce47d0d3b9990e2de45dab63536954d12abc18

                                                                                  SHA256

                                                                                  5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

                                                                                  SHA512

                                                                                  cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  416345a2883800ab9410254e1695eb2d

                                                                                  SHA1

                                                                                  b024f44072d35372a530172ccee1a15c9e290779

                                                                                  SHA256

                                                                                  ee3792763f5a1357b2a509abd616174517fb640803035aad4d454a4129e7c57f

                                                                                  SHA512

                                                                                  4b217ab3946ae739f5f3731f225c90789c05f748041c07eaf2a98cd7df4dc5d2332f1aad85575125e445befc9f41324acbb5ee1378fc4a3b846bec9152863d2e

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  c9110240e100313599d42c509603f0ad

                                                                                  SHA1

                                                                                  5a263061f733056854027553c86ebb12e5ef33d1

                                                                                  SHA256

                                                                                  7564ec99ed81623f4980bf65845ce274133a08839443c9e8338621882911d056

                                                                                  SHA512

                                                                                  2963470c2c6604724bf801ddb7750b20f830722d673553904147394efddfb1b4617cf94ccc27af351006fa3479d32a1383ba0c417c122c5a4d41ec0f137f6103

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  d837fc68601dc2e1245727ba8e0c4cdb

                                                                                  SHA1

                                                                                  98d9560e4d7a3fe871ff28221bd4b42bdb5e9db2

                                                                                  SHA256

                                                                                  7fb6bbe6049250690b7073d820a46694ba1a35b059de313f551589c4c5a23de4

                                                                                  SHA512

                                                                                  7859ab43137ade335b7e5953a4116a1bd230bbfabf52c3d5c7c3f211539c431e3d190b451328096afa18e4bc1f48e875ad6d3b98831082726fe60a98bec10341

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  416345a2883800ab9410254e1695eb2d

                                                                                  SHA1

                                                                                  b024f44072d35372a530172ccee1a15c9e290779

                                                                                  SHA256

                                                                                  ee3792763f5a1357b2a509abd616174517fb640803035aad4d454a4129e7c57f

                                                                                  SHA512

                                                                                  4b217ab3946ae739f5f3731f225c90789c05f748041c07eaf2a98cd7df4dc5d2332f1aad85575125e445befc9f41324acbb5ee1378fc4a3b846bec9152863d2e

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  c9110240e100313599d42c509603f0ad

                                                                                  SHA1

                                                                                  5a263061f733056854027553c86ebb12e5ef33d1

                                                                                  SHA256

                                                                                  7564ec99ed81623f4980bf65845ce274133a08839443c9e8338621882911d056

                                                                                  SHA512

                                                                                  2963470c2c6604724bf801ddb7750b20f830722d673553904147394efddfb1b4617cf94ccc27af351006fa3479d32a1383ba0c417c122c5a4d41ec0f137f6103

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  689b2b93bafb688556ea91e85d0083a7

                                                                                  SHA1

                                                                                  69288a8abf423a4f79116ca4052fe2ee9b4fe814

                                                                                  SHA256

                                                                                  f8e396eac90ce9082391e7c3ce0213f3c822a0ddae5cce72a77d35f23f67d38a

                                                                                  SHA512

                                                                                  8bbc3ea434169df0ebd576995668bc81d70a7555930593f47db03d654ca9f9b9c26a7e6420b1197bcfdb9068bff55384eb57dd71876725ec7c5d150dadcae091

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  d837fc68601dc2e1245727ba8e0c4cdb

                                                                                  SHA1

                                                                                  98d9560e4d7a3fe871ff28221bd4b42bdb5e9db2

                                                                                  SHA256

                                                                                  7fb6bbe6049250690b7073d820a46694ba1a35b059de313f551589c4c5a23de4

                                                                                  SHA512

                                                                                  7859ab43137ade335b7e5953a4116a1bd230bbfabf52c3d5c7c3f211539c431e3d190b451328096afa18e4bc1f48e875ad6d3b98831082726fe60a98bec10341

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  70df90d48d10f3932a0afeda7d2574d1

                                                                                  SHA1

                                                                                  490fa5c11e6e0b37d33b4f368c95827c91d8fa09

                                                                                  SHA256

                                                                                  a255b58c7d90fd67248d85b8b8abb6e36fad014e5386192f027af6936cd43bd7

                                                                                  SHA512

                                                                                  f68fa6859101fb1fdfce6f93da1d7f4b02688d88e0f31e5d42d3054e6f32320d7b6c426df8cce449b55ce65b1f5c261e81bc292b5a036daeed79ae5a89dff59d

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  416345a2883800ab9410254e1695eb2d

                                                                                  SHA1

                                                                                  b024f44072d35372a530172ccee1a15c9e290779

                                                                                  SHA256

                                                                                  ee3792763f5a1357b2a509abd616174517fb640803035aad4d454a4129e7c57f

                                                                                  SHA512

                                                                                  4b217ab3946ae739f5f3731f225c90789c05f748041c07eaf2a98cd7df4dc5d2332f1aad85575125e445befc9f41324acbb5ee1378fc4a3b846bec9152863d2e

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  416345a2883800ab9410254e1695eb2d

                                                                                  SHA1

                                                                                  b024f44072d35372a530172ccee1a15c9e290779

                                                                                  SHA256

                                                                                  ee3792763f5a1357b2a509abd616174517fb640803035aad4d454a4129e7c57f

                                                                                  SHA512

                                                                                  4b217ab3946ae739f5f3731f225c90789c05f748041c07eaf2a98cd7df4dc5d2332f1aad85575125e445befc9f41324acbb5ee1378fc4a3b846bec9152863d2e

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  d837fc68601dc2e1245727ba8e0c4cdb

                                                                                  SHA1

                                                                                  98d9560e4d7a3fe871ff28221bd4b42bdb5e9db2

                                                                                  SHA256

                                                                                  7fb6bbe6049250690b7073d820a46694ba1a35b059de313f551589c4c5a23de4

                                                                                  SHA512

                                                                                  7859ab43137ade335b7e5953a4116a1bd230bbfabf52c3d5c7c3f211539c431e3d190b451328096afa18e4bc1f48e875ad6d3b98831082726fe60a98bec10341

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  d837fc68601dc2e1245727ba8e0c4cdb

                                                                                  SHA1

                                                                                  98d9560e4d7a3fe871ff28221bd4b42bdb5e9db2

                                                                                  SHA256

                                                                                  7fb6bbe6049250690b7073d820a46694ba1a35b059de313f551589c4c5a23de4

                                                                                  SHA512

                                                                                  7859ab43137ade335b7e5953a4116a1bd230bbfabf52c3d5c7c3f211539c431e3d190b451328096afa18e4bc1f48e875ad6d3b98831082726fe60a98bec10341

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  70df90d48d10f3932a0afeda7d2574d1

                                                                                  SHA1

                                                                                  490fa5c11e6e0b37d33b4f368c95827c91d8fa09

                                                                                  SHA256

                                                                                  a255b58c7d90fd67248d85b8b8abb6e36fad014e5386192f027af6936cd43bd7

                                                                                  SHA512

                                                                                  f68fa6859101fb1fdfce6f93da1d7f4b02688d88e0f31e5d42d3054e6f32320d7b6c426df8cce449b55ce65b1f5c261e81bc292b5a036daeed79ae5a89dff59d

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  77ff28462547b3d47676de1cb85af7f4

                                                                                  SHA1

                                                                                  7dc79f541b24f2c4f13fc0ab8c151f77127022f7

                                                                                  SHA256

                                                                                  be426586bbdfea82f98b107da5e67eb9a0e03152a74cf8b49d9907046bcbba85

                                                                                  SHA512

                                                                                  67e0464cc95e6df32ca0a6ffaf97c2d11311aa1264a39aa00e555136e660aa991f9b2ddf6f0031e3eec06a4f87b629f67bce20143bf253ccc9c3544778c77534

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  d837fc68601dc2e1245727ba8e0c4cdb

                                                                                  SHA1

                                                                                  98d9560e4d7a3fe871ff28221bd4b42bdb5e9db2

                                                                                  SHA256

                                                                                  7fb6bbe6049250690b7073d820a46694ba1a35b059de313f551589c4c5a23de4

                                                                                  SHA512

                                                                                  7859ab43137ade335b7e5953a4116a1bd230bbfabf52c3d5c7c3f211539c431e3d190b451328096afa18e4bc1f48e875ad6d3b98831082726fe60a98bec10341

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  70df90d48d10f3932a0afeda7d2574d1

                                                                                  SHA1

                                                                                  490fa5c11e6e0b37d33b4f368c95827c91d8fa09

                                                                                  SHA256

                                                                                  a255b58c7d90fd67248d85b8b8abb6e36fad014e5386192f027af6936cd43bd7

                                                                                  SHA512

                                                                                  f68fa6859101fb1fdfce6f93da1d7f4b02688d88e0f31e5d42d3054e6f32320d7b6c426df8cce449b55ce65b1f5c261e81bc292b5a036daeed79ae5a89dff59d

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  d837fc68601dc2e1245727ba8e0c4cdb

                                                                                  SHA1

                                                                                  98d9560e4d7a3fe871ff28221bd4b42bdb5e9db2

                                                                                  SHA256

                                                                                  7fb6bbe6049250690b7073d820a46694ba1a35b059de313f551589c4c5a23de4

                                                                                  SHA512

                                                                                  7859ab43137ade335b7e5953a4116a1bd230bbfabf52c3d5c7c3f211539c431e3d190b451328096afa18e4bc1f48e875ad6d3b98831082726fe60a98bec10341

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                  MD5

                                                                                  83ce6ab4e58553f05f5b88d5ba2a3188

                                                                                  SHA1

                                                                                  d1c55db3ca27ae1878d19ef1db4e5845a0610523

                                                                                  SHA256

                                                                                  9e2cee901b2edc97fed72cbbb835b01a7ae7d676a857107f347e24380d6aa3f7

                                                                                  SHA512

                                                                                  1e1e91aa9b97e18486f5bc1ef3f87c7bfb3bada7fdd3d0c6e1cdb6f4434ac2dd5ab16058eacc3a96afe069db892f2288f41d3e5f3f8dcbc41146f58b9b66a681

                                                                                • C:\Users\Admin\AppData\Local\Temp\9b12884d-98a4-46e5-b4ac-2abd4dc20bc7\AdvancedRun.exe
                                                                                  MD5

                                                                                  17fc12902f4769af3a9271eb4e2dacce

                                                                                  SHA1

                                                                                  9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                  SHA256

                                                                                  29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                  SHA512

                                                                                  036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                • C:\Users\Admin\AppData\Local\Temp\9b12884d-98a4-46e5-b4ac-2abd4dc20bc7\AdvancedRun.exe
                                                                                  MD5

                                                                                  17fc12902f4769af3a9271eb4e2dacce

                                                                                  SHA1

                                                                                  9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                  SHA256

                                                                                  29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                  SHA512

                                                                                  036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                • C:\Users\Admin\AppData\Local\Temp\9b12884d-98a4-46e5-b4ac-2abd4dc20bc7\AdvancedRun.exe
                                                                                  MD5

                                                                                  17fc12902f4769af3a9271eb4e2dacce

                                                                                  SHA1

                                                                                  9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                  SHA256

                                                                                  29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                  SHA512

                                                                                  036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                • C:\Users\Admin\AppData\Local\Temp\f292d7e6-3a26-4dbc-b572-8f55f38d9ef0\AdvancedRun.exe
                                                                                  MD5

                                                                                  17fc12902f4769af3a9271eb4e2dacce

                                                                                  SHA1

                                                                                  9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                  SHA256

                                                                                  29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                  SHA512

                                                                                  036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                • C:\Users\Admin\AppData\Local\Temp\f292d7e6-3a26-4dbc-b572-8f55f38d9ef0\AdvancedRun.exe
                                                                                  MD5

                                                                                  17fc12902f4769af3a9271eb4e2dacce

                                                                                  SHA1

                                                                                  9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                  SHA256

                                                                                  29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                  SHA512

                                                                                  036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                • C:\Users\Admin\AppData\Local\Temp\f292d7e6-3a26-4dbc-b572-8f55f38d9ef0\AdvancedRun.exe
                                                                                  MD5

                                                                                  17fc12902f4769af3a9271eb4e2dacce

                                                                                  SHA1

                                                                                  9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                  SHA256

                                                                                  29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                  SHA512

                                                                                  036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe
                                                                                  MD5

                                                                                  09f2b5d6519152493e6e5de0dc3491c4

                                                                                  SHA1

                                                                                  2ac089761acab44a257648842595e5104fbeff4d

                                                                                  SHA256

                                                                                  c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b

                                                                                  SHA512

                                                                                  80ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe
                                                                                  MD5

                                                                                  09f2b5d6519152493e6e5de0dc3491c4

                                                                                  SHA1

                                                                                  2ac089761acab44a257648842595e5104fbeff4d

                                                                                  SHA256

                                                                                  c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b

                                                                                  SHA512

                                                                                  80ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe
                                                                                  MD5

                                                                                  09f2b5d6519152493e6e5de0dc3491c4

                                                                                  SHA1

                                                                                  2ac089761acab44a257648842595e5104fbeff4d

                                                                                  SHA256

                                                                                  c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b

                                                                                  SHA512

                                                                                  80ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1

                                                                                • C:\Users\Admin\VkMDJmQEGbmsmiapZkoekt
                                                                                  MD5

                                                                                  5998fa3d51a22192d5dd02b5dc065d81

                                                                                  SHA1

                                                                                  2fea7f55f8646d8f153c64b10cf7e9cb34c4d08d

                                                                                  SHA256

                                                                                  1c727c77c64e8ce224c5e49c3750437a96d324320979d96f95d56f89814656a4

                                                                                  SHA512

                                                                                  f730efded25952f622dcb996c5cc4feff3d486ef22a9be08f33168817519ae81ca238892d726c61a9fdf3a54365929c9cc2bd728faa1fb224037723288cdcf94

                                                                                • memory/636-114-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/636-184-0x0000000007D30000-0x0000000007D31000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/636-120-0x0000000007950000-0x0000000007951000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/636-119-0x0000000005120000-0x00000000051A4000-memory.dmp
                                                                                  Filesize

                                                                                  528KB

                                                                                • memory/636-118-0x0000000007FA0000-0x0000000007FA1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/636-117-0x0000000005640000-0x00000000056DC000-memory.dmp
                                                                                  Filesize

                                                                                  624KB

                                                                                • memory/636-116-0x00000000056E0000-0x00000000056E1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/684-124-0x0000000000000000-mapping.dmp
                                                                                • memory/684-144-0x0000000000000000-mapping.dmp
                                                                                • memory/684-161-0x0000000004D00000-0x0000000004D01000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1336-235-0x0000000000000000-mapping.dmp
                                                                                • memory/1336-240-0x00000000069B0000-0x00000000069B1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1336-241-0x00000000069B2000-0x00000000069B3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1352-121-0x0000000000000000-mapping.dmp
                                                                                • memory/1860-131-0x0000000000000000-mapping.dmp
                                                                                • memory/1860-158-0x0000000007072000-0x0000000007073000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1860-172-0x0000000007070000-0x0000000007071000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1860-245-0x0000000007073000-0x0000000007074000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1860-248-0x000000007F690000-0x000000007F691000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1992-342-0x0000000000000000-mapping.dmp
                                                                                • memory/3144-249-0x0000000004FE3000-0x0000000004FE4000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3144-166-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3144-128-0x0000000000000000-mapping.dmp
                                                                                • memory/3144-246-0x000000007FC40000-0x000000007FC41000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3144-170-0x0000000004FE2000-0x0000000004FE3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3232-247-0x000000007F1B0000-0x000000007F1B1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3232-126-0x0000000000000000-mapping.dmp
                                                                                • memory/3232-251-0x0000000007343000-0x0000000007344000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3232-135-0x00000000071E0000-0x00000000071E1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3232-140-0x0000000007980000-0x0000000007981000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3232-149-0x0000000007340000-0x0000000007341000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3232-154-0x0000000007342000-0x0000000007343000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3452-165-0x0000000007492000-0x0000000007493000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3452-250-0x0000000007493000-0x0000000007494000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3452-138-0x0000000000000000-mapping.dmp
                                                                                • memory/3452-163-0x0000000007490000-0x0000000007491000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3452-242-0x000000007E6E0000-0x000000007E6E1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3740-168-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3740-191-0x0000000008090000-0x0000000008091000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3740-181-0x0000000007CB0000-0x0000000007CB1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3740-185-0x0000000007E30000-0x0000000007E31000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3740-127-0x0000000000000000-mapping.dmp
                                                                                • memory/3740-187-0x0000000008020000-0x0000000008021000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3740-169-0x0000000006FD2000-0x0000000006FD3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3740-244-0x0000000006FD3000-0x0000000006FD4000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3740-243-0x000000007E370000-0x000000007E371000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3756-341-0x0000000000000000-mapping.dmp
                                                                                • memory/3796-277-0x0000000004300000-0x0000000004301000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3796-270-0x0000000000000000-mapping.dmp
                                                                                • memory/4112-193-0x0000000004700000-0x0000000004701000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4112-194-0x0000000004702000-0x0000000004703000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4112-151-0x0000000000000000-mapping.dmp
                                                                                • memory/4112-252-0x000000007EF40000-0x000000007EF41000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4112-258-0x0000000004703000-0x0000000004704000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4160-272-0x000000007E470000-0x000000007E471000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4160-225-0x00000000041D0000-0x00000000041D1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4160-226-0x00000000041D2000-0x00000000041D3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4160-220-0x0000000000000000-mapping.dmp
                                                                                • memory/4232-195-0x0000000006CE0000-0x0000000006CE1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4232-167-0x0000000000000000-mapping.dmp
                                                                                • memory/4232-197-0x0000000006CE2000-0x0000000006CE3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4232-253-0x000000007EBA0000-0x000000007EBA1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4232-259-0x0000000006CE3000-0x0000000006CE4000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4372-201-0x0000000007272000-0x0000000007273000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4372-264-0x0000000007273000-0x0000000007274000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4372-177-0x0000000000000000-mapping.dmp
                                                                                • memory/4372-254-0x000000007F0C0000-0x000000007F0C1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4372-198-0x0000000007270000-0x0000000007271000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4752-227-0x0000000000000000-mapping.dmp
                                                                                • memory/4752-231-0x0000000006930000-0x0000000006931000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4752-232-0x0000000006932000-0x0000000006933000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4832-230-0x0000000000000000-mapping.dmp
                                                                                • memory/4832-238-0x00000000041E0000-0x00000000041E1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4832-239-0x00000000041E2000-0x00000000041E3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4904-213-0x0000000000000000-mapping.dmp
                                                                                • memory/4972-216-0x0000000000000000-mapping.dmp
                                                                                • memory/4988-233-0x00000000074F0000-0x00000000074F1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4988-234-0x00000000074F2000-0x00000000074F3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/4988-228-0x0000000000000000-mapping.dmp
                                                                                • memory/5052-218-0x0000000000000000-mapping.dmp
                                                                                • memory/5052-267-0x000000007F170000-0x000000007F171000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5052-221-0x00000000070D0000-0x00000000070D1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5052-222-0x00000000070D2000-0x00000000070D3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5052-273-0x00000000070D3000-0x00000000070D4000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5092-223-0x0000000007220000-0x0000000007221000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5092-268-0x000000007EC40000-0x000000007EC41000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5092-224-0x0000000007222000-0x0000000007223000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5092-219-0x0000000000000000-mapping.dmp
                                                                                • memory/5100-229-0x0000000000000000-mapping.dmp
                                                                                • memory/5100-236-0x0000000006FF0000-0x0000000006FF1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5100-237-0x0000000006FF2000-0x0000000006FF3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5148-274-0x00000000071E0000-0x00000000071E1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5148-269-0x0000000000000000-mapping.dmp
                                                                                • memory/5148-276-0x00000000071E2000-0x00000000071E3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5320-311-0x0000000000000000-mapping.dmp
                                                                                • memory/5380-271-0x0000000000000000-mapping.dmp
                                                                                • memory/5380-275-0x0000000004920000-0x0000000004921000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5628-255-0x0000000000000000-mapping.dmp
                                                                                • memory/5628-260-0x0000000003580000-0x0000000003581000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5628-261-0x0000000003582000-0x0000000003583000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5668-262-0x00000000065D0000-0x00000000065D1000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5668-256-0x0000000000000000-mapping.dmp
                                                                                • memory/5668-263-0x00000000065D2000-0x00000000065D3000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5748-265-0x0000000004550000-0x0000000004551000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5748-266-0x0000000004552000-0x0000000004553000-memory.dmp
                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5748-257-0x0000000000000000-mapping.dmp
                                                                                • memory/5916-298-0x0000000000000000-mapping.dmp
                                                                                • memory/5960-284-0x0000000000000000-mapping.dmp
                                                                                • memory/6040-285-0x0000000000000000-mapping.dmp
                                                                                • memory/6100-283-0x0000000000000000-mapping.dmp
                                                                                • memory/6376-288-0x0000000000000000-mapping.dmp
                                                                                • memory/6416-289-0x0000000000000000-mapping.dmp
                                                                                • memory/6428-300-0x0000000000000000-mapping.dmp
                                                                                • memory/6452-299-0x0000000000000000-mapping.dmp
                                                                                • memory/6472-290-0x0000000000000000-mapping.dmp
                                                                                • memory/6820-294-0x0000000000000000-mapping.dmp
                                                                                • memory/6864-295-0x0000000000000000-mapping.dmp
                                                                                • memory/6924-296-0x0000000000000000-mapping.dmp
                                                                                • memory/7184-313-0x0000000000000000-mapping.dmp
                                                                                • memory/7188-312-0x0000000000000000-mapping.dmp
                                                                                • memory/7196-314-0x0000000000000000-mapping.dmp
                                                                                • memory/7240-305-0x0000000000000000-mapping.dmp
                                                                                • memory/7268-306-0x0000000000000000-mapping.dmp
                                                                                • memory/7312-307-0x0000000000000000-mapping.dmp
                                                                                • memory/7360-308-0x0000000000000000-mapping.dmp
                                                                                • memory/7392-309-0x0000000000000000-mapping.dmp
                                                                                • memory/7456-310-0x0000000000000000-mapping.dmp
                                                                                • memory/7744-316-0x0000000000000000-mapping.dmp
                                                                                • memory/7920-315-0x0000000000000000-mapping.dmp
                                                                                • memory/8356-340-0x0000000000000000-mapping.dmp
                                                                                • memory/8472-322-0x0000000000000000-mapping.dmp
                                                                                • memory/8544-325-0x0000000000000000-mapping.dmp
                                                                                • memory/8612-326-0x0000000000000000-mapping.dmp
                                                                                • memory/8860-327-0x0000000000000000-mapping.dmp
                                                                                • memory/8908-328-0x0000000000000000-mapping.dmp
                                                                                • memory/8960-329-0x0000000000000000-mapping.dmp
                                                                                • memory/8968-337-0x0000000000000000-mapping.dmp
                                                                                • memory/8992-339-0x0000000000000000-mapping.dmp
                                                                                • memory/9144-338-0x0000000000000000-mapping.dmp
                                                                                • memory/9636-347-0x0000000000000000-mapping.dmp