Analysis Overview
SHA256
38992ee97c1b46dc373cdd5f32fb5de1e5bb8da4e81734d84f860dc92fd41cf2
Threat Level: Likely malicious
The file rocket league.exe was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Loads dropped DLL
Drops startup file
Detects Pyinstaller
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 00:19
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 00:19
Reported
2024-05-26 00:21
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2196 wrote to memory of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | C:\Users\Admin\AppData\Local\Temp\rocket league.exe |
| PID 2196 wrote to memory of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | C:\Users\Admin\AppData\Local\Temp\rocket league.exe |
| PID 2196 wrote to memory of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | C:\Users\Admin\AppData\Local\Temp\rocket league.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\rocket league.exe
"C:\Users\Admin\AppData\Local\Temp\rocket league.exe"
C:\Users\Admin\AppData\Local\Temp\rocket league.exe
"C:\Users\Admin\AppData\Local\Temp\rocket league.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21962\python39.dll
| MD5 | 11c051f93c922d6b6b4829772f27a5be |
| SHA1 | 42fbdf3403a4bc3d46d348ca37a9f835e073d440 |
| SHA256 | 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c |
| SHA512 | 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 00:19
Reported
2024-05-26 00:21
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
142s
Command Line
Signatures
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.bat | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rocket league.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\rocket league.exe
"C:\Users\Admin\AppData\Local\Temp\rocket league.exe"
C:\Users\Admin\AppData\Local\Temp\rocket league.exe
"C:\Users\Admin\AppData\Local\Temp\rocket league.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "sc config WinDefend start= disabled"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "net stop WinDefend"
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" stop WinDefend
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WinDefend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\" /v NoAutoUpdate /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\" /v DisableNotificationCenter /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization\" /v NoLockScreen /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization /v NoLockScreen /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "reg add \"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "reg add \"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\" /v NoControlPanel /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| GB | 90.219.218.146:4444 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| GB | 90.219.218.146:4444 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| GB | 90.219.218.146:4444 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| GB | 90.219.218.146:4444 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| GB | 90.219.218.146:4444 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| GB | 90.219.218.146:4444 | tcp | |
| GB | 90.219.218.146:4444 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22802\python39.dll
| MD5 | 11c051f93c922d6b6b4829772f27a5be |
| SHA1 | 42fbdf3403a4bc3d46d348ca37a9f835e073d440 |
| SHA256 | 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c |
| SHA512 | 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\base_library.zip
| MD5 | d3a47ef5b669b3ab59aa27a54b015d24 |
| SHA1 | d646309640b93ce05d268a00104d8a6ee6ee4463 |
| SHA256 | b89ba73c7ce7a7800237401b351b047996f3c975f9e6ed401864f5481acf644f |
| SHA512 | 09095fc7042a77f0c35f6a79d2c180b2660b613a82697a29662e39db80b3ed442c0433f915d17a271aba2f4f5c39615af2bac274de7095dd907413414d630dcc |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_ctypes.pyd
| MD5 | 29da9b022c16da461392795951ce32d9 |
| SHA1 | 0e514a8f88395b50e797d481cbbed2b4ae490c19 |
| SHA256 | 3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372 |
| SHA512 | 5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_socket.pyd
| MD5 | f5dd9c5922a362321978c197d3713046 |
| SHA1 | 4fbc2d3e15f8bb21ecc1bf492f451475204426cd |
| SHA256 | 4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626 |
| SHA512 | ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\select.pyd
| MD5 | 7a442bbcc4b7aa02c762321f39487ba9 |
| SHA1 | 0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83 |
| SHA256 | 1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad |
| SHA512 | 3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_lzma.pyd
| MD5 | b5355dd319fb3c122bb7bf4598ad7570 |
| SHA1 | d7688576eceadc584388a179eed3155716c26ef5 |
| SHA256 | b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5 |
| SHA512 | 0e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_hashlib.pyd
| MD5 | f377a418addeeb02f223f45f6f168fe6 |
| SHA1 | 5d8d42dec5d08111e020614600bbf45091c06c0b |
| SHA256 | 9551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac |
| SHA512 | 6f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_decimal.pyd
| MD5 | ce4df4dfe65ab8dc7ae6fcdebae46112 |
| SHA1 | cdbbfda68030394ac90f6d6249d6dd57c81bc747 |
| SHA256 | ffbe84f0a1eab363ca9cf73efb7518f2abd52c0893c7cc63266613c930855e96 |
| SHA512 | fc8e39942e46e4494356d4a45257b657495cbfa20e9d67850627e188f70b149e22603ae4801b4ba7b9a04d201b3787899d2aee21565237d18e0afce9bae33ee9 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_bz2.pyd
| MD5 | 6c7565c1efffe44cb0616f5b34faa628 |
| SHA1 | 88dd24807da6b6918945201c74467ca75e155b99 |
| SHA256 | fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a |
| SHA512 | 822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\unicodedata.pyd
| MD5 | 8320c54418d77eba5d4553a5d6ec27f9 |
| SHA1 | e5123cf166229aebb076b469459856a56fb16d7f |
| SHA256 | 7e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae |
| SHA512 | b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
memory/4456-32-0x00007FFEFACC3000-0x00007FFEFACC5000-memory.dmp
memory/4456-33-0x000001FA5A170000-0x000001FA5A192000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ifx3jwpq.kiz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4456-43-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp
memory/4456-44-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp
memory/4456-45-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp
memory/4456-48-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/2756-50-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp
memory/2756-51-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 88be3bc8a7f90e3953298c0fdbec4d72 |
| SHA1 | f4969784ad421cc80ef45608727aacd0f6bf2e4b |
| SHA256 | 533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a |
| SHA512 | 4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c |
memory/2756-63-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 421e2421d469a848255625b722ebff12 |
| SHA1 | fe15054bd7268165f377de43706226af644e5af9 |
| SHA256 | 54436d18ea4ca55d4673917f78ea644b12d65f1f27cdee4b32e6987bc1deefed |
| SHA512 | f464f642f2a934e9507a64bf9d3043d4254405b15855a4d42af0d97341df9851b494cf6d164d6ac393d635040654bf4a33cc3c159b6ea8e05947d829c575e4e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8857491a4a65a9a1d560c4705786a312 |
| SHA1 | 4f3caf2ad5d66a2410c9cca0381d26a46e832cb4 |
| SHA256 | b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360 |
| SHA512 | d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a316ebd4efa11d6b6daf6af0cc1aebce |
| SHA1 | ab338dd719969c70590dbc039b90e2758c741762 |
| SHA256 | f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014 |
| SHA512 | 67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2ad33642f863ae14ee53bc6853ee330e |
| SHA1 | ca81cc7d8c33a46ebe97bc1d3db55e41a813029e |
| SHA256 | 17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19 |
| SHA512 | 52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1542328a8546914b4e2f1aef9cb42bea |
| SHA1 | 7a0ac5969dfb20eb974e8a3bd8707243fa68f94f |
| SHA256 | 7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737 |
| SHA512 | b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2b09a4ee48534faf0a8f91aee9a1c92a |
| SHA1 | 58db278bbe8453eb341294e7f303c2f2fca5815f |
| SHA256 | 0cc656020d2efb13b0140e35229d04b3f10c64f0d2bc7813ef07160a65468263 |
| SHA512 | 3ba905d6b0e33804bef1917ab50666a3a6ec71a47e186f095aa4db4606ea189559b9192187d00895fe1f7a50f603076f4071ad33bf37a867ba960a11102e3a2a |