Malware Analysis Report

2024-09-22 23:55

Sample ID 240430-w3ksdaeg88
Target SilverClient.exe
SHA256 b4fcdc9f24f89baa3710678df4598d6818c2d6c58c0183f2bb61a33e0dade3b4
Tags
stormkitty evasion persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4fcdc9f24f89baa3710678df4598d6818c2d6c58c0183f2bb61a33e0dade3b4

Threat Level: Known bad

The file SilverClient.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty evasion persistence stealer

StormKitty

StormKitty payload

Sets file to hidden

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-30 18:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 18:26

Reported

2024-04-30 18:31

Platform

win10-20240404-en

Max time kernel

204s

Max time network

269s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\$77svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\attrib.exe
PID 3692 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\attrib.exe
PID 3692 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\attrib.exe
PID 3692 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\attrib.exe
PID 3692 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\cmd.exe
PID 3692 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1820 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1820 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe
PID 1820 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe
PID 816 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 816 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 816 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 816 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 816 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 816 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 816 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\schtasks.exe
PID 816 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\schtasks.exe
PID 816 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 816 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe

"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\System32"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe"

C:\Windows\system32\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe

"C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77svchost.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77svchost.exe" /TR "C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe \"\$77svchost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77svchost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svchost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 centre-clan.gl.at.ply.gg udp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 52.111.227.11:443 tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp
US 147.185.221.19:40354 centre-clan.gl.at.ply.gg tcp

Files

memory/3692-0-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

memory/3692-1-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

memory/3692-2-0x000000001C910000-0x000000001C920000-memory.dmp

memory/3692-3-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.bat

MD5 467ecabd1ae6827b9144d01031aad16f
SHA1 0d0188543eb83fb24650bcb85824768bce5a3fa3
SHA256 e0567db1bdbcb896a460fc4fcae09f3392d3232257358291b949307c7a3c00bb
SHA512 1ba187fa07c6d0dbdc9ca6c0407231c1475767ad79a562d7dca9513bd26db697e8b1e64756ff26731c48f24e24aa4a2d7b905b68a2ee56245d2fb37c1c71ddb9

memory/3692-9-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe

MD5 3831534da5a571175be3c431aba83fdb
SHA1 888aa879e4515bb93369699fc9bb60b204e25efb
SHA256 b4fcdc9f24f89baa3710678df4598d6818c2d6c58c0183f2bb61a33e0dade3b4
SHA512 03232832cdbe928f14802f354a834123f4698b15ca758c0534384f2b46fab371a30725a23e6ce59d6af2fc18c8e53ff9d724ac580689c9ef04ec31027fbb23ce

memory/4912-17-0x00000254F39C0000-0x00000254F39E2000-memory.dmp

memory/4912-20-0x00000254F41D0000-0x00000254F4246000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_havsmoq3.jtw.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/816-68-0x000000001DB00000-0x000000001DB10000-memory.dmp

memory/816-69-0x00000000010F0000-0x000000000111A000-memory.dmp

memory/816-70-0x0000000000010000-0x0000000000030000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ba9851ab6008b3d1c28561817c8f7e0f
SHA1 bf3c75b299ce82f0d3da86c09aec5418c2338f81
SHA256 347b3fcf3b877e39546e921719020a0721738d86e8dbbd4652ab2b7d484df5c8
SHA512 db318764888c1b1e27044effceab3237b518986b1cccc8abb4feacccb9e18d107fb5f02f476929e1e037021a4f02cd05720251718765faca6aa0db322fbbc1a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 494590d6f7053c0f6f2f7e1c52f9d9f1
SHA1 9596ba711b04ae003a35bdd94efd6bcf1468ad4c
SHA256 1da61039b99fe5c678270243a4a3acc7738526e7ba66ff709d87f5509aa91a96
SHA512 7669a50060e291b1e33abc9fa01418efee867f1096c6ccae76f0cb96e3d92654694c882d5492f47474c113e5dbebe12889dbd9a89ac9e86ea4bbf8f0ce5dab74

memory/2808-127-0x000002319AB00000-0x000002319AB3C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 2143b379fed61ab5450bab1a751798ce
SHA1 32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256 a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA512 0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 32ee8c40eccb9a273061a41e1b8baa02
SHA1 19273d9a575c253a97392da6fe7de532be804d47
SHA256 a986cceb0b4901a0847cf2ddb1ab5a10dbaf9bf15e45ef1a8383baf26a66eae2
SHA512 982cfeb8592f58e124900ef229b52a25992039e5fd77b2d9d7148774a37f9004af5417b88acdd5421792dfe48f19092d30d22efcb0e57777d232f92d07582205

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ab19a2dcfdd0953edae5f310b65eed3
SHA1 4b4553df4f980bb391cb013260063efdde0f3e1c
SHA256 45d6325d025bf809528e36d731104177941a829a7ba7a9c5fe536e9a44245676
SHA512 a9b1b1adbd7562023ca7ed45720ace76c5e197e4e8bf37d73470f7a3facc39a7c221fbc3db961404aa2768b76b7beceda4e15a60d5d0982e5c5d581992a2a7bd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6378ab47c61694873f91ec0c1e333367
SHA1 418df0da644205e68dae36f6533f4cd946a99796
SHA256 9c0c4ce229a3b05b2f4dbac3d0db149a925156ad8ae331c0205592fb21c43c1a
SHA512 ba363de62b76dcfcd717de9f8ab2a21e4223b3412866adf8bf7f368bbc138ab0d870bb244da90adbad9df88bd7824a79525e092e76ce052dc292c89813eebefe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8e34d3aa29462c9c0d1294ab27fd2fee
SHA1 d252adff7cfbc6cb2d7a122bc7ba3ae363732dd3
SHA256 42309aa3b2a7ed44774110b372648919722f2ae644a034d3f8a7196d4551eedf
SHA512 dbeb4f965f6bd7de6f07d0247a32c2fd075aa8d9cc591b6986252b286b5a72429f76aa387926fc9c72452a5c9b96712f19666d6f42a536459a00af795e5c870c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dfc6d987fabf3b6038617ee751fbfda6
SHA1 e59f8d9d0e714a882617ec48374ed6ea419d9f51
SHA256 6b9215c65e5137119dbd254904c6db6901207fd402f4a7755f4087f7d70154d8
SHA512 92e3b0ec2acf0f52bb5a06b6b3b95cd45c44230ba4e04594fc54368190e8637b4e4d6c6c07c0beb1bd97633cdf0eefacefaec2169d3b9e399210bbf4cbeaf88a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aa30954d55a80f1136a8b322a2e85d1d
SHA1 9d5c3f51d0962f9bb690863c603cc5e5564ee734
SHA256 85c39b26ca1896bfc38d26ae686473764a6f6b9e9132eac1524dd32332aa1a0d
SHA512 3993d39fae614dbdc685cb8756dbcdf6f71390eb5e48d08d54bf66f2fa327a808ac8f7a7c0156f1fcda07afb0f67a793beab06e6af56857a2a13606c53e18105

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 26aa6d1a5aeb68252f2235eeba41fc74
SHA1 48596c27b7cfd79e6d50f6bb9f23a4a227114e40
SHA256 0d70b0c42f84039105ccb742a5db14be0843dfe507de5b06c08772cd2072da06
SHA512 2cffb6f49d8ceb6c5a1b4889158ac0e6cd937e9b1694b6b1a7fabd2ad9b967cee0d0522ecdec8193238d28f45849d37a43244dc1301a637fa0dae4f69a61efc9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7011e80fc176123e61d53cf478edece5
SHA1 57c1a6fe3bcd80a97098a07f52e2073c20180bfe
SHA256 8bcdc2923e495555f03c1d06c1d9a46678ca777ce8e2730e27ffb520993405b1
SHA512 a54b747a630993f5f04962b8dd7995e86f32db3f8e62405e60877ed68f8cdc4f4a7d695447a9732c4930c05f3d7b2ea789e1cb1c8748905b86cf31dd1ffb2dcf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 66db5777b8d06443dbbb39efeb445972
SHA1 feec6c100941da6aa8758a8a5b9a21394a8fb96a
SHA256 4a8d79da1b6419fdaba83d2dd1d6c66643a07d41403e889e902de0f419c23efa
SHA512 76f026b66d52cececddf60acfe0185964a97c54384dadf7edde1d1ad808e39f8644a15f173b77fc328bee1154d442bb217ab6193e8010a1491c729ed0585158f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1ed6145925f9a575fd9359e49f7ae85
SHA1 561afddb8f0842ace03305368126178544652086
SHA256 3e3e7b190fda4e5406e8cd3d76b901a24a8a741130a908d72245248c78a11a0e
SHA512 9bdd47a0dbbe8080bab1fcb7b0588bff62821ce925b113df4e143949dd8271d15e6d7ae66c49caeadd72aaa853a956e5da8fbe8175ee9c87aa4176513aefac4e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7cd1306be630e801f2e6561ff7465b09
SHA1 28dd91e64d76c4c29ac609f0946016a208fd6332
SHA256 348791668c74176bed43bd6dc4ba004e760d2e6b565ed76d626d6897a8db4f60
SHA512 ea8bb312d8cbbc4e0763083361cb61f1aa87906f792aeba0383127c059c91fd3bea388febf005568b22b4256aaf105f6e4fb4a960001c7d14a7f6f3fea766273