Analysis
-
max time kernel
26s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 06:57
General
-
Target
2ac2d91af826847f3e2544b2420a814d.exe
-
Size
819KB
-
MD5
2ac2d91af826847f3e2544b2420a814d
-
SHA1
79101b95f1d8171e6e5c4ce4e9d9372466a6259d
-
SHA256
3e3bf2b2439b584bb039f072d969a4b31f5eb4c03fd8033fec911ff3ed5c1878
-
SHA512
9785737408c6345e35d4ebe9f438bd2647f2b9e230b53592a5d3eebfc70b1969d4e1d614bbe44d7579803af51211f84d2060f558b9052875169f55f91195b4fc
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
mailjege@yandex.com - Password:
recovery111
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
AgentTesla Payload 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Nirsoft 6 IoCs
-
Executes dropped EXE 3 IoCs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Windows security modification 2 TTPs 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe"C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5f454c9-b1b8-44c4-ba11-174ba3175c8d\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e5f454c9-b1b8-44c4-ba11-174ba3175c8d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e5f454c9-b1b8-44c4-ba11-174ba3175c8d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5f454c9-b1b8-44c4-ba11-174ba3175c8d\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e5f454c9-b1b8-44c4-ba11-174ba3175c8d\AdvancedRun.exe" /SpecialRun 4101d8 3163⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe" -Force2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\801e38ed-d6d7-4abf-82df-2f9009dbe135\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\801e38ed-d6d7-4abf-82df-2f9009dbe135\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\801e38ed-d6d7-4abf-82df-2f9009dbe135\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Users\Admin\AppData\Local\Temp\801e38ed-d6d7-4abf-82df-2f9009dbe135\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\801e38ed-d6d7-4abf-82df-2f9009dbe135\AdvancedRun.exe" /SpecialRun 4101d8 26444⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2D17B9CF\svchost.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2D17B9CF\svchost.exe" -Force3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 17723⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2D17B9CF\svchost.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2D17B9CF\svchost.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe"C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe"C:\Users\Admin\AppData\Local\Temp\2ac2d91af826847f3e2544b2420a814d.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
54b389a19d2d06a6b9ae17ba1c96fc5e
SHA11970cf5bf46da7bef8305ad3f8543cc310354c92
SHA256e87b38fc3f390a8b430c92ae83f5294c94208ca235aea8ee5762aac39740991b
SHA5124c76fdbe3be1f8b46c099689bcb9edc4da848c542301052b49c313ad3721a0cdb176568bb77f78a2adf5c389184705fa0e4ffe0e6e728c67f27f8f8f384da1ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c3a4ad4654dbe023b7edf49440b53c4b
SHA172d530ac70fc6e0372a3badcc0fdc804fdbbfed6
SHA25663725a9192868d05d598ff54e0791f5eb904a1291a4506e397d8b6d69be0b407
SHA5129c881da58890993b1580fd58ed10183e62f09c6c7d1d588a59aa324039625eb6ec07da0049fe45a9ba6996d4ab32d4154a92c30148d76c6afc5c2c42ccd44c9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6d4f39b3159de48ac594b7808bea0bf2
SHA160e89b6e363814bd798b616d97c568c14fb8cd73
SHA256fe44939cb1a5df493c95bd69211216632ae72b6029aed69157b8f249fa63691d
SHA5125bf9c51005130064f39b61e9773695d632da425490904d18b46a4d51cffca1218f8c91bcd4f3a756adae5bf028b326e114ccfce9277c0d047a04bfe0991e2430
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6d4f39b3159de48ac594b7808bea0bf2
SHA160e89b6e363814bd798b616d97c568c14fb8cd73
SHA256fe44939cb1a5df493c95bd69211216632ae72b6029aed69157b8f249fa63691d
SHA5125bf9c51005130064f39b61e9773695d632da425490904d18b46a4d51cffca1218f8c91bcd4f3a756adae5bf028b326e114ccfce9277c0d047a04bfe0991e2430
-
C:\Users\Admin\AppData\Local\Temp\801e38ed-d6d7-4abf-82df-2f9009dbe135\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\801e38ed-d6d7-4abf-82df-2f9009dbe135\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\801e38ed-d6d7-4abf-82df-2f9009dbe135\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\e5f454c9-b1b8-44c4-ba11-174ba3175c8d\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\e5f454c9-b1b8-44c4-ba11-174ba3175c8d\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\e5f454c9-b1b8-44c4-ba11-174ba3175c8d\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exeMD5
2ac2d91af826847f3e2544b2420a814d
SHA179101b95f1d8171e6e5c4ce4e9d9372466a6259d
SHA2563e3bf2b2439b584bb039f072d969a4b31f5eb4c03fd8033fec911ff3ed5c1878
SHA5129785737408c6345e35d4ebe9f438bd2647f2b9e230b53592a5d3eebfc70b1969d4e1d614bbe44d7579803af51211f84d2060f558b9052875169f55f91195b4fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exeMD5
2ac2d91af826847f3e2544b2420a814d
SHA179101b95f1d8171e6e5c4ce4e9d9372466a6259d
SHA2563e3bf2b2439b584bb039f072d969a4b31f5eb4c03fd8033fec911ff3ed5c1878
SHA5129785737408c6345e35d4ebe9f438bd2647f2b9e230b53592a5d3eebfc70b1969d4e1d614bbe44d7579803af51211f84d2060f558b9052875169f55f91195b4fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exeMD5
2ac2d91af826847f3e2544b2420a814d
SHA179101b95f1d8171e6e5c4ce4e9d9372466a6259d
SHA2563e3bf2b2439b584bb039f072d969a4b31f5eb4c03fd8033fec911ff3ed5c1878
SHA5129785737408c6345e35d4ebe9f438bd2647f2b9e230b53592a5d3eebfc70b1969d4e1d614bbe44d7579803af51211f84d2060f558b9052875169f55f91195b4fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exeMD5
2ac2d91af826847f3e2544b2420a814d
SHA179101b95f1d8171e6e5c4ce4e9d9372466a6259d
SHA2563e3bf2b2439b584bb039f072d969a4b31f5eb4c03fd8033fec911ff3ed5c1878
SHA5129785737408c6345e35d4ebe9f438bd2647f2b9e230b53592a5d3eebfc70b1969d4e1d614bbe44d7579803af51211f84d2060f558b9052875169f55f91195b4fc
-
memory/316-122-0x0000000000000000-mapping.dmp
-
memory/408-1299-0x0000000004522000-0x0000000004523000-memory.dmpFilesize
4KB
-
memory/408-1279-0x0000000004520000-0x0000000004521000-memory.dmpFilesize
4KB
-
memory/408-2324-0x000000007FD90000-0x000000007FD91000-memory.dmpFilesize
4KB
-
memory/408-1149-0x0000000000000000-mapping.dmp
-
memory/592-161-0x00000000072D2000-0x00000000072D3000-memory.dmpFilesize
4KB
-
memory/592-130-0x0000000000000000-mapping.dmp
-
memory/592-394-0x000000007EDF0000-0x000000007EDF1000-memory.dmpFilesize
4KB
-
memory/592-481-0x00000000072D3000-0x00000000072D4000-memory.dmpFilesize
4KB
-
memory/592-199-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/1016-173-0x000000000043770E-mapping.dmp
-
memory/1016-197-0x0000000005150000-0x000000000564E000-memory.dmpFilesize
5.0MB
-
memory/1016-169-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1016-187-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1148-203-0x0000000005380000-0x000000000587E000-memory.dmpFilesize
5.0MB
-
memory/1148-134-0x0000000000000000-mapping.dmp
-
memory/1268-380-0x000000007F000000-0x000000007F001000-memory.dmpFilesize
4KB
-
memory/1268-163-0x0000000006D00000-0x0000000006D01000-memory.dmpFilesize
4KB
-
memory/1268-131-0x0000000000000000-mapping.dmp
-
memory/1268-454-0x0000000006D03000-0x0000000006D04000-memory.dmpFilesize
4KB
-
memory/1268-165-0x0000000006D02000-0x0000000006D03000-memory.dmpFilesize
4KB
-
memory/1692-468-0x0000000006A63000-0x0000000006A64000-memory.dmpFilesize
4KB
-
memory/1692-388-0x000000007F6D0000-0x000000007F6D1000-memory.dmpFilesize
4KB
-
memory/1692-175-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/1692-140-0x0000000000000000-mapping.dmp
-
memory/1692-185-0x0000000006A62000-0x0000000006A63000-memory.dmpFilesize
4KB
-
memory/1996-399-0x000000007DF30000-0x000000007DF31000-memory.dmpFilesize
4KB
-
memory/1996-476-0x0000000004A63000-0x0000000004A64000-memory.dmpFilesize
4KB
-
memory/1996-189-0x0000000004A62000-0x0000000004A63000-memory.dmpFilesize
4KB
-
memory/1996-144-0x0000000000000000-mapping.dmp
-
memory/1996-183-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/2644-994-0x0000000000000000-mapping.dmp
-
memory/3264-406-0x0000000004FB3000-0x0000000004FB4000-memory.dmpFilesize
4KB
-
memory/3264-195-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/3264-129-0x0000000000000000-mapping.dmp
-
memory/3264-207-0x0000000004FB2000-0x0000000004FB3000-memory.dmpFilesize
4KB
-
memory/3264-310-0x000000007ED40000-0x000000007ED41000-memory.dmpFilesize
4KB
-
memory/3296-418-0x0000000006D33000-0x0000000006D34000-memory.dmpFilesize
4KB
-
memory/3296-324-0x000000007F680000-0x000000007F681000-memory.dmpFilesize
4KB
-
memory/3296-127-0x0000000000000000-mapping.dmp
-
memory/3296-136-0x0000000006C00000-0x0000000006C01000-memory.dmpFilesize
4KB
-
memory/3296-142-0x0000000007370000-0x0000000007371000-memory.dmpFilesize
4KB
-
memory/3296-158-0x0000000006D30000-0x0000000006D31000-memory.dmpFilesize
4KB
-
memory/3296-181-0x00000000072C0000-0x00000000072C1000-memory.dmpFilesize
4KB
-
memory/3296-167-0x0000000006D32000-0x0000000006D33000-memory.dmpFilesize
4KB
-
memory/3296-198-0x0000000007B80000-0x0000000007B81000-memory.dmpFilesize
4KB
-
memory/3296-204-0x0000000007C20000-0x0000000007C21000-memory.dmpFilesize
4KB
-
memory/3660-372-0x000000007F260000-0x000000007F261000-memory.dmpFilesize
4KB
-
memory/3660-194-0x00000000065D2000-0x00000000065D3000-memory.dmpFilesize
4KB
-
memory/3660-460-0x00000000065D3000-0x00000000065D4000-memory.dmpFilesize
4KB
-
memory/3660-149-0x0000000000000000-mapping.dmp
-
memory/3660-191-0x00000000065D0000-0x00000000065D1000-memory.dmpFilesize
4KB
-
memory/3940-125-0x0000000000000000-mapping.dmp
-
memory/3968-178-0x00000000069B2000-0x00000000069B3000-memory.dmpFilesize
4KB
-
memory/3968-317-0x000000007F630000-0x000000007F631000-memory.dmpFilesize
4KB
-
memory/3968-128-0x0000000000000000-mapping.dmp
-
memory/3968-171-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/3968-412-0x00000000069B3000-0x00000000069B4000-memory.dmpFilesize
4KB
-
memory/4000-120-0x0000000005500000-0x0000000005568000-memory.dmpFilesize
416KB
-
memory/4000-119-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/4000-159-0x0000000006A20000-0x0000000006A21000-memory.dmpFilesize
4KB
-
memory/4000-118-0x0000000005580000-0x0000000005A7E000-memory.dmpFilesize
5.0MB
-
memory/4000-121-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/4000-117-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/4000-115-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/4000-116-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/4000-176-0x0000000006A50000-0x0000000006A53000-memory.dmpFilesize
12KB
-
memory/4100-999-0x0000000000000000-mapping.dmp
-
memory/4404-1308-0x0000000004BD0000-0x00000000050CE000-memory.dmpFilesize
5.0MB
-
memory/4404-1221-0x000000000043770E-mapping.dmp
-
memory/4660-1084-0x0000000000000000-mapping.dmp
-
memory/4660-1203-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/4660-2451-0x000000007E240000-0x000000007E241000-memory.dmpFilesize
4KB
-
memory/4660-1267-0x0000000004EF2000-0x0000000004EF3000-memory.dmpFilesize
4KB
-
memory/4780-1258-0x00000000071D0000-0x00000000071D1000-memory.dmpFilesize
4KB
-
memory/4780-2214-0x000000007F160000-0x000000007F161000-memory.dmpFilesize
4KB
-
memory/4780-1100-0x0000000000000000-mapping.dmp
-
memory/4780-1325-0x00000000071D2000-0x00000000071D3000-memory.dmpFilesize
4KB
-
memory/4876-1115-0x0000000000000000-mapping.dmp
-
memory/4876-1316-0x0000000007242000-0x0000000007243000-memory.dmpFilesize
4KB
-
memory/4876-2441-0x000000007E7A0000-0x000000007E7A1000-memory.dmpFilesize
4KB
-
memory/4876-1334-0x0000000007240000-0x0000000007241000-memory.dmpFilesize
4KB
-
memory/4920-1288-0x0000000004420000-0x0000000004421000-memory.dmpFilesize
4KB
-
memory/4920-1132-0x0000000000000000-mapping.dmp
-
memory/4920-2446-0x000000007E920000-0x000000007E921000-memory.dmpFilesize
4KB
-
memory/4920-1343-0x0000000004422000-0x0000000004423000-memory.dmpFilesize
4KB