Analysis Overview
SHA256
b4fcdc9f24f89baa3710678df4598d6818c2d6c58c0183f2bb61a33e0dade3b4
Threat Level: Known bad
The file SilverClient.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty
StormKitty payload
Sets file to hidden
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-30 18:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-30 18:26
Reported
2024-04-30 18:31
Platform
win10-20240404-en
Max time kernel
204s
Max time network
269s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\$77svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\System32"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe"
C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe
"C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77svchost.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77svchost.exe" /TR "C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe \"\$77svchost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svchost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | centre-clan.gl.at.ply.gg | udp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 52.111.227.11:443 | tcp | |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
| US | 147.185.221.19:40354 | centre-clan.gl.at.ply.gg | tcp |
Files
memory/3692-0-0x0000000000DB0000-0x0000000000DBE000-memory.dmp
memory/3692-1-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp
memory/3692-2-0x000000001C910000-0x000000001C920000-memory.dmp
memory/3692-3-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.bat
| MD5 | 467ecabd1ae6827b9144d01031aad16f |
| SHA1 | 0d0188543eb83fb24650bcb85824768bce5a3fa3 |
| SHA256 | e0567db1bdbcb896a460fc4fcae09f3392d3232257358291b949307c7a3c00bb |
| SHA512 | 1ba187fa07c6d0dbdc9ca6c0407231c1475767ad79a562d7dca9513bd26db697e8b1e64756ff26731c48f24e24aa4a2d7b905b68a2ee56245d2fb37c1c71ddb9 |
memory/3692-9-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp
C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe
| MD5 | 3831534da5a571175be3c431aba83fdb |
| SHA1 | 888aa879e4515bb93369699fc9bb60b204e25efb |
| SHA256 | b4fcdc9f24f89baa3710678df4598d6818c2d6c58c0183f2bb61a33e0dade3b4 |
| SHA512 | 03232832cdbe928f14802f354a834123f4698b15ca758c0534384f2b46fab371a30725a23e6ce59d6af2fc18c8e53ff9d724ac580689c9ef04ec31027fbb23ce |
memory/4912-17-0x00000254F39C0000-0x00000254F39E2000-memory.dmp
memory/4912-20-0x00000254F41D0000-0x00000254F4246000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_havsmoq3.jtw.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/816-68-0x000000001DB00000-0x000000001DB10000-memory.dmp
memory/816-69-0x00000000010F0000-0x000000000111A000-memory.dmp
memory/816-70-0x0000000000010000-0x0000000000030000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ba9851ab6008b3d1c28561817c8f7e0f |
| SHA1 | bf3c75b299ce82f0d3da86c09aec5418c2338f81 |
| SHA256 | 347b3fcf3b877e39546e921719020a0721738d86e8dbbd4652ab2b7d484df5c8 |
| SHA512 | db318764888c1b1e27044effceab3237b518986b1cccc8abb4feacccb9e18d107fb5f02f476929e1e037021a4f02cd05720251718765faca6aa0db322fbbc1a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 494590d6f7053c0f6f2f7e1c52f9d9f1 |
| SHA1 | 9596ba711b04ae003a35bdd94efd6bcf1468ad4c |
| SHA256 | 1da61039b99fe5c678270243a4a3acc7738526e7ba66ff709d87f5509aa91a96 |
| SHA512 | 7669a50060e291b1e33abc9fa01418efee867f1096c6ccae76f0cb96e3d92654694c882d5492f47474c113e5dbebe12889dbd9a89ac9e86ea4bbf8f0ce5dab74 |
memory/2808-127-0x000002319AB00000-0x000002319AB3C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 2143b379fed61ab5450bab1a751798ce |
| SHA1 | 32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e |
| SHA256 | a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81 |
| SHA512 | 0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 32ee8c40eccb9a273061a41e1b8baa02 |
| SHA1 | 19273d9a575c253a97392da6fe7de532be804d47 |
| SHA256 | a986cceb0b4901a0847cf2ddb1ab5a10dbaf9bf15e45ef1a8383baf26a66eae2 |
| SHA512 | 982cfeb8592f58e124900ef229b52a25992039e5fd77b2d9d7148774a37f9004af5417b88acdd5421792dfe48f19092d30d22efcb0e57777d232f92d07582205 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5ab19a2dcfdd0953edae5f310b65eed3 |
| SHA1 | 4b4553df4f980bb391cb013260063efdde0f3e1c |
| SHA256 | 45d6325d025bf809528e36d731104177941a829a7ba7a9c5fe536e9a44245676 |
| SHA512 | a9b1b1adbd7562023ca7ed45720ace76c5e197e4e8bf37d73470f7a3facc39a7c221fbc3db961404aa2768b76b7beceda4e15a60d5d0982e5c5d581992a2a7bd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6378ab47c61694873f91ec0c1e333367 |
| SHA1 | 418df0da644205e68dae36f6533f4cd946a99796 |
| SHA256 | 9c0c4ce229a3b05b2f4dbac3d0db149a925156ad8ae331c0205592fb21c43c1a |
| SHA512 | ba363de62b76dcfcd717de9f8ab2a21e4223b3412866adf8bf7f368bbc138ab0d870bb244da90adbad9df88bd7824a79525e092e76ce052dc292c89813eebefe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8e34d3aa29462c9c0d1294ab27fd2fee |
| SHA1 | d252adff7cfbc6cb2d7a122bc7ba3ae363732dd3 |
| SHA256 | 42309aa3b2a7ed44774110b372648919722f2ae644a034d3f8a7196d4551eedf |
| SHA512 | dbeb4f965f6bd7de6f07d0247a32c2fd075aa8d9cc591b6986252b286b5a72429f76aa387926fc9c72452a5c9b96712f19666d6f42a536459a00af795e5c870c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | dfc6d987fabf3b6038617ee751fbfda6 |
| SHA1 | e59f8d9d0e714a882617ec48374ed6ea419d9f51 |
| SHA256 | 6b9215c65e5137119dbd254904c6db6901207fd402f4a7755f4087f7d70154d8 |
| SHA512 | 92e3b0ec2acf0f52bb5a06b6b3b95cd45c44230ba4e04594fc54368190e8637b4e4d6c6c07c0beb1bd97633cdf0eefacefaec2169d3b9e399210bbf4cbeaf88a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | aa30954d55a80f1136a8b322a2e85d1d |
| SHA1 | 9d5c3f51d0962f9bb690863c603cc5e5564ee734 |
| SHA256 | 85c39b26ca1896bfc38d26ae686473764a6f6b9e9132eac1524dd32332aa1a0d |
| SHA512 | 3993d39fae614dbdc685cb8756dbcdf6f71390eb5e48d08d54bf66f2fa327a808ac8f7a7c0156f1fcda07afb0f67a793beab06e6af56857a2a13606c53e18105 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 26aa6d1a5aeb68252f2235eeba41fc74 |
| SHA1 | 48596c27b7cfd79e6d50f6bb9f23a4a227114e40 |
| SHA256 | 0d70b0c42f84039105ccb742a5db14be0843dfe507de5b06c08772cd2072da06 |
| SHA512 | 2cffb6f49d8ceb6c5a1b4889158ac0e6cd937e9b1694b6b1a7fabd2ad9b967cee0d0522ecdec8193238d28f45849d37a43244dc1301a637fa0dae4f69a61efc9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7011e80fc176123e61d53cf478edece5 |
| SHA1 | 57c1a6fe3bcd80a97098a07f52e2073c20180bfe |
| SHA256 | 8bcdc2923e495555f03c1d06c1d9a46678ca777ce8e2730e27ffb520993405b1 |
| SHA512 | a54b747a630993f5f04962b8dd7995e86f32db3f8e62405e60877ed68f8cdc4f4a7d695447a9732c4930c05f3d7b2ea789e1cb1c8748905b86cf31dd1ffb2dcf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 66db5777b8d06443dbbb39efeb445972 |
| SHA1 | feec6c100941da6aa8758a8a5b9a21394a8fb96a |
| SHA256 | 4a8d79da1b6419fdaba83d2dd1d6c66643a07d41403e889e902de0f419c23efa |
| SHA512 | 76f026b66d52cececddf60acfe0185964a97c54384dadf7edde1d1ad808e39f8644a15f173b77fc328bee1154d442bb217ab6193e8010a1491c729ed0585158f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f1ed6145925f9a575fd9359e49f7ae85 |
| SHA1 | 561afddb8f0842ace03305368126178544652086 |
| SHA256 | 3e3e7b190fda4e5406e8cd3d76b901a24a8a741130a908d72245248c78a11a0e |
| SHA512 | 9bdd47a0dbbe8080bab1fcb7b0588bff62821ce925b113df4e143949dd8271d15e6d7ae66c49caeadd72aaa853a956e5da8fbe8175ee9c87aa4176513aefac4e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7cd1306be630e801f2e6561ff7465b09 |
| SHA1 | 28dd91e64d76c4c29ac609f0946016a208fd6332 |
| SHA256 | 348791668c74176bed43bd6dc4ba004e760d2e6b565ed76d626d6897a8db4f60 |
| SHA512 | ea8bb312d8cbbc4e0763083361cb61f1aa87906f792aeba0383127c059c91fd3bea388febf005568b22b4256aaf105f6e4fb4a960001c7d14a7f6f3fea766273 |