Malware Analysis Report

2025-01-18 06:38

Sample ID 231015-ky3a3sfd43
Target 89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8
SHA256 89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor discovery dropper evasion infostealer loader persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8

Threat Level: Known bad

The file 89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor discovery dropper evasion infostealer loader persistence ransomware trojan

Glupteba payload

Glupteba

Djvu Ransomware

Detected Djvu ransomware

RedLine payload

RedLine

SmokeLoader

Amadey

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 09:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 09:01

Reported

2023-10-15 09:04

Platform

win10v2004-20230915-en

Max time kernel

41s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\216E.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3E7F.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1924862b-0908-406e-8dbd-3971d677a1dc\\216E.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\216E.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4284 set thread context of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 set thread context of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\216E.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 3188 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 3188 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 3188 wrote to memory of 4840 N/A N/A C:\Users\Admin\AppData\Local\Temp\2314.exe
PID 3188 wrote to memory of 4840 N/A N/A C:\Users\Admin\AppData\Local\Temp\2314.exe
PID 3188 wrote to memory of 4840 N/A N/A C:\Users\Admin\AppData\Local\Temp\2314.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4476 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Windows\System32\Conhost.exe
PID 4476 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Windows\System32\Conhost.exe
PID 4476 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Windows\System32\Conhost.exe
PID 3188 wrote to memory of 784 N/A N/A C:\Users\Admin\AppData\Local\Temp\33A0.exe
PID 3188 wrote to memory of 784 N/A N/A C:\Users\Admin\AppData\Local\Temp\33A0.exe
PID 3188 wrote to memory of 412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3188 wrote to memory of 412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 412 wrote to memory of 5088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 412 wrote to memory of 5088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 412 wrote to memory of 5088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4476 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4476 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4476 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 3188 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E7F.exe
PID 3188 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E7F.exe
PID 3188 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E7F.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 4312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\216E.exe C:\Users\Admin\AppData\Local\Temp\216E.exe
PID 3188 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\4304.exe
PID 3188 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\4304.exe
PID 3188 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\4304.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe

"C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe"

C:\Users\Admin\AppData\Local\Temp\216E.exe

C:\Users\Admin\AppData\Local\Temp\216E.exe

C:\Users\Admin\AppData\Local\Temp\2314.exe

C:\Users\Admin\AppData\Local\Temp\2314.exe

C:\Users\Admin\AppData\Local\Temp\216E.exe

C:\Users\Admin\AppData\Local\Temp\216E.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1924862b-0908-406e-8dbd-3971d677a1dc" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\33A0.exe

C:\Users\Admin\AppData\Local\Temp\33A0.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\374A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\374A.dll

C:\Users\Admin\AppData\Local\Temp\216E.exe

"C:\Users\Admin\AppData\Local\Temp\216E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3E7F.exe

C:\Users\Admin\AppData\Local\Temp\3E7F.exe

C:\Users\Admin\AppData\Local\Temp\216E.exe

"C:\Users\Admin\AppData\Local\Temp\216E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4304.exe

C:\Users\Admin\AppData\Local\Temp\4304.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3108 -ip 3108

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\493F.exe

C:\Users\Admin\AppData\Local\Temp\493F.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 568

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\493F.exe

"C:\Users\Admin\AppData\Local\Temp\493F.exe"

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
NL 194.169.175.127:80 galandskiyher5.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 parrotnight.com udp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
US 188.114.97.0:443 parrotnight.com tcp
US 8.8.8.8:53 unclejohny.com udp
US 104.21.56.176:443 unclejohny.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 176.56.21.104.in-addr.arpa udp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
UZ 195.158.3.162:80 wirtshauspost.at tcp
US 8.8.8.8:53 162.3.158.195.in-addr.arpa udp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
FR 51.255.152.132:36011 tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 57e9fbbf-8b37-4358-9e26-fc64fa2b7031.uuid.thestatsfiles.ru udp

Files

memory/2252-1-0x0000000000670000-0x0000000000770000-memory.dmp

memory/2252-2-0x0000000002300000-0x000000000230B000-memory.dmp

memory/2252-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3188-4-0x00000000027A0000-0x00000000027B6000-memory.dmp

memory/2252-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2252-8-0x0000000002300000-0x000000000230B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\216E.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\216E.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\2314.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/4284-23-0x0000000004930000-0x00000000049CA000-memory.dmp

memory/4284-24-0x00000000049D0000-0x0000000004AEB000-memory.dmp

memory/4476-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\216E.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/4476-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2314.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/4476-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4476-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\33A0.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\1924862b-0908-406e-8dbd-3971d677a1dc\216E.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\374A.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\374A.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/4476-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\216E.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/5088-47-0x0000000010000000-0x0000000010251000-memory.dmp

memory/5088-46-0x00000000029D0000-0x00000000029D6000-memory.dmp

memory/4312-54-0x0000000004780000-0x0000000004815000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E7F.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3E7F.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3108-62-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\216E.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/3108-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3108-65-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4304.exe

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

C:\Users\Admin\AppData\Local\Temp\4304.exe

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3444-78-0x0000000000840000-0x0000000000940000-memory.dmp

memory/3444-79-0x0000000000600000-0x000000000060B000-memory.dmp

memory/3444-80-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\493F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\493F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4220-87-0x0000000000A00000-0x0000000000A6B000-memory.dmp

memory/4220-88-0x0000000000A70000-0x0000000000AE5000-memory.dmp

memory/4220-89-0x0000000000A00000-0x0000000000A6B000-memory.dmp

memory/1664-90-0x0000000000330000-0x000000000033C000-memory.dmp

memory/1664-91-0x0000000000340000-0x0000000000347000-memory.dmp

memory/1664-92-0x0000000000330000-0x000000000033C000-memory.dmp

memory/1560-114-0x0000000004C80000-0x000000000507C000-memory.dmp

memory/1560-115-0x0000000005080000-0x000000000596B000-memory.dmp

memory/1560-118-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4220-119-0x0000000000A00000-0x0000000000A6B000-memory.dmp

memory/2096-120-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3188-121-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/3444-124-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

memory/784-125-0x00007FF670FE0000-0x00007FF671931000-memory.dmp

memory/2096-137-0x0000000071FE0000-0x0000000072790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

memory/5088-141-0x0000000010000000-0x0000000010251000-memory.dmp

memory/5088-143-0x0000000002E20000-0x0000000002F3B000-memory.dmp

memory/2096-142-0x0000000007B30000-0x00000000080D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

memory/2096-144-0x0000000007660000-0x00000000076F2000-memory.dmp

memory/2684-150-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2684-151-0x0000000000600000-0x0000000000609000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

memory/2352-159-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2352-157-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2096-165-0x0000000007630000-0x0000000007640000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 bdc73040839f1513324b4fd448f785f8
SHA1 e62c5a03b7c37d1d55861124c8e336cd3ec836b7
SHA256 6f324bd8615e1c76a1eacc3213060e145ee5c94f995fab5ac8a8f4f355e515fb
SHA512 33179f215853448c8e6ad0ad87e99520ad7b059eed264ef9abe71f274a7e558a546113d56e5a5bf3cc65a007ccd2b990ddaa382d71798584d3d45c1a7534e175

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a3368211e62a4b5e5b8e8a6b03705fe5
SHA1 6553fdaea087a6685ced9b8ec7b7284ec54bcd78
SHA256 73cc0a482562344b7b97ea37057485f18fc50af6afaac2b88a1ec3fadb0a3e35
SHA512 9b90d2f3d4b9d9a172d93bae338121391cc2f07cf1a5014679e0d0947c2a025e09c3c0cf8b67da266a7aae3ee968ac847516c57c6127dee3c06a189d3c3349aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7c35b581cf9942855d622bf4d0263a3e
SHA1 b45ef514848d4194348b303557e0b27f98fb5ac7
SHA256 3796f6c84dd6b1445eee4d21e0e4e9f2f22634162c70e97126c8d1619c6e031d
SHA512 b3028bbf133c8d5ae9b80bc5b12fbb5e8c903a3196ba6f32bde554a4f424a1cfa4e637590a202475f96e229f351d00da82a10db24a9ac49c1e630bf508f0b4c3

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/2096-178-0x0000000007810000-0x000000000781A000-memory.dmp

memory/5088-179-0x0000000002F40000-0x0000000003041000-memory.dmp

memory/5088-180-0x0000000002F40000-0x0000000003041000-memory.dmp

memory/5088-184-0x0000000002F40000-0x0000000003041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/1560-198-0x0000000004C80000-0x000000000507C000-memory.dmp

memory/5088-199-0x0000000002F40000-0x0000000003041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2096-207-0x0000000008700000-0x0000000008D18000-memory.dmp

memory/2096-208-0x00000000079C0000-0x0000000007ACA000-memory.dmp

memory/2096-211-0x00000000078F0000-0x0000000007902000-memory.dmp

memory/1560-200-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2096-214-0x0000000007950000-0x000000000798C000-memory.dmp

memory/2096-215-0x0000000007AD0000-0x0000000007B1C000-memory.dmp

memory/2184-217-0x0000000004CA0000-0x000000000509B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1560-229-0x0000000005080000-0x000000000596B000-memory.dmp

memory/3188-230-0x0000000002CA0000-0x0000000002CB6000-memory.dmp

memory/2352-231-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2184-235-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2632-236-0x0000000000D10000-0x0000000000D46000-memory.dmp

memory/2632-237-0x0000000004E70000-0x0000000005498000-memory.dmp

memory/2864-238-0x0000000005340000-0x0000000005362000-memory.dmp

memory/2632-239-0x0000000004D40000-0x0000000004DA6000-memory.dmp

memory/2632-242-0x00000000054A0000-0x0000000005506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l42ig1bb.n44.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2864-255-0x0000000005D70000-0x00000000060C4000-memory.dmp

memory/1560-260-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/784-261-0x00007FF670FE0000-0x00007FF671931000-memory.dmp

memory/2632-262-0x0000000071FE0000-0x0000000072790000-memory.dmp

memory/2864-263-0x0000000071FE0000-0x0000000072790000-memory.dmp

memory/2632-264-0x0000000004830000-0x0000000004840000-memory.dmp

memory/2864-265-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/2864-266-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/2096-267-0x0000000071FE0000-0x0000000072790000-memory.dmp

memory/2864-268-0x0000000006340000-0x000000000635E000-memory.dmp

memory/2864-270-0x00000000068E0000-0x0000000006924000-memory.dmp

memory/2184-269-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1560-271-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2168-272-0x00007FF745940000-0x00007FF745EE1000-memory.dmp

memory/2632-273-0x0000000004830000-0x0000000004840000-memory.dmp

memory/2864-274-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/2096-275-0x0000000007630000-0x0000000007640000-memory.dmp

memory/2632-276-0x0000000006D80000-0x0000000006DF6000-memory.dmp

memory/2864-277-0x0000000007B50000-0x00000000081CA000-memory.dmp

memory/2864-278-0x0000000007500000-0x000000000751A000-memory.dmp

memory/2184-279-0x0000000004CA0000-0x000000000509B000-memory.dmp

memory/784-280-0x00007FF670FE0000-0x00007FF671931000-memory.dmp

memory/2864-281-0x00000000078D0000-0x0000000007902000-memory.dmp

memory/2632-283-0x0000000073190000-0x00000000731DC000-memory.dmp

memory/2632-285-0x000000006C530000-0x000000006C884000-memory.dmp

memory/2864-284-0x000000006C530000-0x000000006C884000-memory.dmp

memory/2864-282-0x0000000073190000-0x00000000731DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a6ea7bfcd3aac150c0caef765cb52281
SHA1 037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256 f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512 c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6af32d9529a23b5294409f9cf38fa3e1
SHA1 cebe90244976f836127233754033182cc4894e13
SHA256 e1c6e39660d04cff2154c02af62579f0bd6d7ae276ef6e6730547d9a9dc6c60e
SHA512 5edf681dcc62a97f61b6b8523ba6e64d0a03ae428118d5a697fdf1842b617b6be7736a0326a8a6029946431495a323b6d514a7d773840d8a99fb640829daf339

C:\Users\Admin\AppData\Local\Temp\493F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/1560-328-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2184-332-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\dvfvrur

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

memory/784-344-0x00007FF670FE0000-0x00007FF671931000-memory.dmp

memory/4396-396-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4844-397-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/784-404-0x00007FF670FE0000-0x00007FF671931000-memory.dmp

memory/1320-419-0x0000000000190000-0x00000000001EA000-memory.dmp

memory/784-420-0x00007FF670FE0000-0x00007FF671931000-memory.dmp

memory/4844-433-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 df409b60e9cc5122150324efef71bdb5
SHA1 685eaf9c7ecc4f718821dfbd7ef85993f3b83c4f
SHA256 f5b3581f589023e3b1d6741d6cb56028c13d86f0f32aed3049508c9f99d2aaa8
SHA512 74d707e8da5337eb3f61cbd6f6f3ead382811c6c8fde604d94b1c20829fd744a16d4388aaa0219c2d4242c74fa964ab51dc84150049cfe7c256eaf51d598593d

memory/2168-443-0x00007FF745940000-0x00007FF745EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 df409b60e9cc5122150324efef71bdb5
SHA1 685eaf9c7ecc4f718821dfbd7ef85993f3b83c4f
SHA256 f5b3581f589023e3b1d6741d6cb56028c13d86f0f32aed3049508c9f99d2aaa8
SHA512 74d707e8da5337eb3f61cbd6f6f3ead382811c6c8fde604d94b1c20829fd744a16d4388aaa0219c2d4242c74fa964ab51dc84150049cfe7c256eaf51d598593d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

memory/4396-485-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4844-486-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2168-487-0x00007FF745940000-0x00007FF745EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 66024cccd2a7839409e6998681085174
SHA1 2d5a3197834bfe187d13ddfecf1a77828ce15722
SHA256 4417189a3c25c92d5dc5aa4ba84f3ddf9a9b7d7ccbe6c1e9f43c16a42e1c89d5
SHA512 abde81db85335023dc375eefaf0b7093f274f3622cd2207d2f6583d3fc65fa6284820531d7339603b9ff0364db289c09c46f01f4fed548d94baccd9deea5381b

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 66024cccd2a7839409e6998681085174
SHA1 2d5a3197834bfe187d13ddfecf1a77828ce15722
SHA256 4417189a3c25c92d5dc5aa4ba84f3ddf9a9b7d7ccbe6c1e9f43c16a42e1c89d5
SHA512 abde81db85335023dc375eefaf0b7093f274f3622cd2207d2f6583d3fc65fa6284820531d7339603b9ff0364db289c09c46f01f4fed548d94baccd9deea5381b

C:\Windows\rss\csrss.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Windows\rss\csrss.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Windows\rss\csrss.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 718676ce5f44cf52460766e8356760a3
SHA1 d240893459cea235c796726054f5c610cd8a5f6f
SHA256 75ca743590a4ae372c9f88497c244f5476d676c7e9d9129c9e5a91f732e1aa3c
SHA512 8bcd8a9ca606853f8c898fb420956fdbdb4829325046611dc6342148649bc3006a492f70ab9218f06401670d30ad17bf889e4f82ee02a363f4d2180260a9bcfa

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb4f8d835b99ecd6d316903c2dac2037
SHA1 98fa19b59ca3697d724bf6ce01f83525e0a885e1
SHA256 4979e15655f251daa474d44a26f3a67fc82decd3461936c604cd4a3554f77015
SHA512 b07996d76d36144993b8bbb521f7c33c54212fc0122fee241b75001ca1f32d6716c9ff0f10638888d1967daeb428d46b190892c616dcefbd72c8bf27da60af37

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 77d8ba53534fe4876bad1dd61250fbcf
SHA1 182cbda228a83015a6f1f32adb83ee223e2c7d57
SHA256 04b6b20cd7218cc4109b060f70c03d70254750673c388bf0ed60c3f7c5bd580d
SHA512 76bf27ccedf7e51b9df94c905bf3697367f397f75b23b7919fdd2aa3e2588241af14fe0c5313abb47395e047241e168c8f36285549a327f804c78758ed225e82