Analysis Overview
SHA256
ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa
Threat Level: Known bad
The file asdasdad.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 20:51
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 20:51
Reported
2024-06-20 20:57
Platform
win7-20231129-en
Max time kernel
118s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\asdasdad.exe
"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 147.185.221.17:29206 | silver-bowl.gl.at.ply.gg | tcp |
Files
memory/2344-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
memory/2344-1-0x0000000000820000-0x0000000000838000-memory.dmp
memory/2344-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2552-7-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/2552-8-0x000000001B560000-0x000000001B842000-memory.dmp
memory/2552-9-0x00000000022C0000-0x00000000022C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 68c1091da31c10d4ef03e37ba0c3d0f2 |
| SHA1 | 2e7119b29431d6a014d5c00beb41c85a34dfcd7d |
| SHA256 | 335e194139051dec64c215ec493d616423d1ebc7c83f8e2f9286a8af89d25c6a |
| SHA512 | 094359a9204412a7428e8a4d9d074e8d5eb22a78f284635bd9cac37eddd2fa2d016aba8fdb3ee998f26d69a73e77dfd9f4971434ed5ceae727725bcfab1654c9 |
memory/2556-15-0x000000001B4F0000-0x000000001B7D2000-memory.dmp
memory/2556-16-0x0000000002820000-0x0000000002828000-memory.dmp
memory/2344-26-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
memory/2344-27-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 20:51
Reported
2024-06-20 20:57
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\System32\WScript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\System32\WScript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\System32\WScript.exe | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\asdasdad.exe
"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aliaac.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aliaac.vbs" /elevate
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 147.185.221.17:29206 | silver-bowl.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/228-0-0x00007FFE2BA93000-0x00007FFE2BA95000-memory.dmp
memory/228-1-0x0000000000800000-0x0000000000818000-memory.dmp
memory/228-2-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp
memory/1484-3-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwtd52or.omk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1484-4-0x000001A772C30000-0x000001A772C52000-memory.dmp
memory/1484-14-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp
memory/1484-15-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp
memory/1484-18-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10fb30dc297f99d6ebafa5fee8b24fa2 |
| SHA1 | 76904509313a49a765edcde26b69c3a61f9fa225 |
| SHA256 | 567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a |
| SHA512 | c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498 |
memory/228-46-0x000000001C380000-0x000000001C482000-memory.dmp
memory/228-47-0x00007FFE2BA93000-0x00007FFE2BA95000-memory.dmp
memory/228-49-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aliaac.vbs
| MD5 | 3183ab3e54079f5094f0438ad5d460f6 |
| SHA1 | 850eacdf078b851378fee9b83a895a247f3ff1ed |
| SHA256 | 16da599511714cce9fd5888b1cc06bdb44857fc9147f9a2b5eed422d9ae40415 |
| SHA512 | 31e996ae9eaf26a7292a6c3c0d7a4284228dec13d082a82f0b5f8825cd265a249e266b5a99c755f41dfd370ce8a179ad29780311c1f49f89dc80f5e4a99ce31e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60945d1a2e48da37d4ce8d9c56b6845a |
| SHA1 | 83e80a6acbeb44b68b0da00b139471f428a9d6c1 |
| SHA256 | 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3 |
| SHA512 | 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 21e043e582145961dd6c69cedfe3b546 |
| SHA1 | ef49b88e229166bb5426d5e9dd03cd2ad0df0e0f |
| SHA256 | 29ee445e0007c20444e537e0fdc41700e8bb8ea6a5040f5eee8d91e4fb44133e |
| SHA512 | 27ec3f4f9ff15a2b2629752e5369b325886ab4bd709ae303cfd8b77feb6ebae361af4156531643bae1a2c8bc601f5cef20fabe04b62fda985038ae68aed4b9de |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 46bf20e17dec660ef09b16e41372a7c3 |
| SHA1 | cf8daa89a45784a385b75cf5e90d3f59706ac5d5 |
| SHA256 | 719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17 |
| SHA512 | 91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2551c57c4f442d3968db9a207cfd059 |
| SHA1 | 38910649f3f651586477bf47640174ae4db1e8c2 |
| SHA256 | d37658614a272d600067784941dca04367d449085124833554557d60c2ddc4c4 |
| SHA512 | b48d4a9c465415ecd67ca98f3f1b8be163af87f301a145ceb6fe8a5806c777d4bf6e6040a5468f325561333c05dd4cd9b7c678fd434909e70761998d3a5335d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9a2c763c5ff40e18e49ad63c7c3b0088 |
| SHA1 | 4b289ea34755323fa869da6ad6480d8d12385a36 |
| SHA256 | 517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e |
| SHA512 | 3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dd0716df5ff6e2ed8bfa08e271d64dd8 |
| SHA1 | c342bbe936058ea27843d5dbe5eb434f926612f7 |
| SHA256 | 15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8 |
| SHA512 | 7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dc0eb1839781c4bed27d3b94a4f3fc88 |
| SHA1 | 40432a27ea09d935efa2d769464b8f687a36af14 |
| SHA256 | c76800855c49d5639d1ab7bbf105c0ea8eb9a1003aa2ad9656fa57357e47f53d |
| SHA512 | 06ad9fab6f49d07cef550078cca0c0a40013c9282deb0c46c66bbe1b4dde8207e42c23451818ab04aab3427063bd41a7c8ea852884dee2ddaf123e8d4cf089dd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d74094040d182233ea30bb3fc049dbcd |
| SHA1 | bef1d368773cd21b5214dbb74aa7364389e83247 |
| SHA256 | 75efd9b0b7dc6910c41e2e01cc337f8861606dd83ad2848261406bce14b97f56 |
| SHA512 | 58e8dd9180cc699c370836b68cdff76b9397dead8d73bd8af631bf1020db6e88536aac214a298f93fcfa0c76c6c566ab41aaf006a95bf157b43ddcf938cacf79 |