umbral | 879fc1eabb8371e770a2fea4362086d08fb8743ce5343465cbedf0c2fdd4404f

Analysis

max time kernel
169s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

conta_injector.exe
Size

2.6MB
MD5

136572773a0b95e37f25ee732cd20564
SHA1

d5aa4913be0eb1a47fe95cdec0f398992b1066e9
SHA256

879fc1eabb8371e770a2fea4362086d08fb8743ce5343465cbedf0c2fdd4404f
SHA512

872c0dc675516b91d8ea43094532c749789753d631979070163c5b71adc088dd2e33393879658e0a361de3fc4f5ed1bd150ebc8658b558abfc46ccc7c8cee0ef
SSDEEP

49152:RP5mffPrD+IndQgKAr5ozxzu6LAH3zu292AXR3jzLzvX:RP5mvrD+ClNo9ztLA

Score

10^/10

umbral xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
InvidiaDriver.exe

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2732-23-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3992-18-0x0000000000400000-0x000000000041E000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	conta_injector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InvidiaDriver.lnk	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InvidiaDriver.lnk	RegAsm.exe

Executes dropped EXE 3 IoCs

pid	Process
1692	PerfWatson2.exe
1600	InvidiaDriver.exe
4652	InvidiaDriver.exe

Loads dropped DLL 1 IoCs

pid	Process
3992	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InvidiaDriver = "C:\\Users\\Admin\\AppData\\Local\\InvidiaDriver.exe"	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 3992	2656	conta_injector.exe	95
PID 1692 set thread context of 2732	1692	PerfWatson2.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4232	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
748	wmic.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3108	powershell.exe
3108	powershell.exe
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
4872	powershell.exe
4872	powershell.exe
4924	powershell.exe
4924	powershell.exe
4924	powershell.exe
2244	powershell.exe
2244	powershell.exe
3344	powershell.exe
3344	powershell.exe
3992	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	conta_injector.exe
Token: SeDebugPrivilege	1692	PerfWatson2.exe
Token: SeDebugPrivilege	3992	RegAsm.exe
Token: SeDebugPrivilege	2732	RegAsm.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeIncreaseQuotaPrivilege	2768	wmic.exe
Token: SeSecurityPrivilege	2768	wmic.exe
Token: SeTakeOwnershipPrivilege	2768	wmic.exe
Token: SeLoadDriverPrivilege	2768	wmic.exe
Token: SeSystemProfilePrivilege	2768	wmic.exe
Token: SeSystemtimePrivilege	2768	wmic.exe
Token: SeProfSingleProcessPrivilege	2768	wmic.exe
Token: SeIncBasePriorityPrivilege	2768	wmic.exe
Token: SeCreatePagefilePrivilege	2768	wmic.exe
Token: SeBackupPrivilege	2768	wmic.exe
Token: SeRestorePrivilege	2768	wmic.exe
Token: SeShutdownPrivilege	2768	wmic.exe
Token: SeDebugPrivilege	2768	wmic.exe
Token: SeSystemEnvironmentPrivilege	2768	wmic.exe
Token: SeRemoteShutdownPrivilege	2768	wmic.exe
Token: SeUndockPrivilege	2768	wmic.exe
Token: SeManageVolumePrivilege	2768	wmic.exe
Token: 33	2768	wmic.exe
Token: 34	2768	wmic.exe
Token: 35	2768	wmic.exe
Token: 36	2768	wmic.exe
Token: SeIncreaseQuotaPrivilege	2768	wmic.exe
Token: SeSecurityPrivilege	2768	wmic.exe
Token: SeTakeOwnershipPrivilege	2768	wmic.exe
Token: SeLoadDriverPrivilege	2768	wmic.exe
Token: SeSystemProfilePrivilege	2768	wmic.exe
Token: SeSystemtimePrivilege	2768	wmic.exe
Token: SeProfSingleProcessPrivilege	2768	wmic.exe
Token: SeIncBasePriorityPrivilege	2768	wmic.exe
Token: SeCreatePagefilePrivilege	2768	wmic.exe
Token: SeBackupPrivilege	2768	wmic.exe
Token: SeRestorePrivilege	2768	wmic.exe
Token: SeShutdownPrivilege	2768	wmic.exe
Token: SeDebugPrivilege	2768	wmic.exe
Token: SeSystemEnvironmentPrivilege	2768	wmic.exe
Token: SeRemoteShutdownPrivilege	2768	wmic.exe
Token: SeUndockPrivilege	2768	wmic.exe
Token: SeManageVolumePrivilege	2768	wmic.exe
Token: 33	2768	wmic.exe
Token: 34	2768	wmic.exe
Token: 35	2768	wmic.exe
Token: 36	2768	wmic.exe
Token: SeIncreaseQuotaPrivilege	3952	wmic.exe
Token: SeSecurityPrivilege	3952	wmic.exe
Token: SeTakeOwnershipPrivilege	3952	wmic.exe
Token: SeLoadDriverPrivilege	3952	wmic.exe
Token: SeSystemProfilePrivilege	3952	wmic.exe
Token: SeSystemtimePrivilege	3952	wmic.exe
Token: SeProfSingleProcessPrivilege	3952	wmic.exe
Token: SeIncBasePriorityPrivilege	3952	wmic.exe
Token: SeCreatePagefilePrivilege	3952	wmic.exe
Token: SeBackupPrivilege	3952	wmic.exe
Token: SeRestorePrivilege	3952	wmic.exe
Token: SeShutdownPrivilege	3952	wmic.exe
Token: SeDebugPrivilege	3952	wmic.exe
Token: SeSystemEnvironmentPrivilege	3952	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3992	RegAsm.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1692	2656	conta_injector.exe	93
PID 2656 wrote to memory of 1692	2656	conta_injector.exe	93
PID 2656 wrote to memory of 1692	2656	conta_injector.exe	93
PID 2656 wrote to memory of 3992	2656	conta_injector.exe	95
PID 2656 wrote to memory of 3992	2656	conta_injector.exe	95
PID 2656 wrote to memory of 3992	2656	conta_injector.exe	95
PID 2656 wrote to memory of 3992	2656	conta_injector.exe	95
PID 2656 wrote to memory of 3992	2656	conta_injector.exe	95
PID 2656 wrote to memory of 3992	2656	conta_injector.exe	95
PID 2656 wrote to memory of 3992	2656	conta_injector.exe	95
PID 2656 wrote to memory of 3992	2656	conta_injector.exe	95
PID 1692 wrote to memory of 2732	1692	PerfWatson2.exe	96
PID 1692 wrote to memory of 2732	1692	PerfWatson2.exe	96
PID 1692 wrote to memory of 2732	1692	PerfWatson2.exe	96
PID 1692 wrote to memory of 2732	1692	PerfWatson2.exe	96
PID 1692 wrote to memory of 2732	1692	PerfWatson2.exe	96
PID 1692 wrote to memory of 2732	1692	PerfWatson2.exe	96
PID 1692 wrote to memory of 2732	1692	PerfWatson2.exe	96
PID 1692 wrote to memory of 2732	1692	PerfWatson2.exe	96
PID 2732 wrote to memory of 3108	2732	RegAsm.exe	97
PID 2732 wrote to memory of 3108	2732	RegAsm.exe	97
PID 2732 wrote to memory of 3108	2732	RegAsm.exe	97
PID 3992 wrote to memory of 2712	3992	RegAsm.exe	100
PID 3992 wrote to memory of 2712	3992	RegAsm.exe	100
PID 3992 wrote to memory of 2712	3992	RegAsm.exe	100
PID 2732 wrote to memory of 1660	2732	RegAsm.exe	101
PID 2732 wrote to memory of 1660	2732	RegAsm.exe	101
PID 2732 wrote to memory of 1660	2732	RegAsm.exe	101
PID 3992 wrote to memory of 4872	3992	RegAsm.exe	104
PID 3992 wrote to memory of 4872	3992	RegAsm.exe	104
PID 3992 wrote to memory of 4872	3992	RegAsm.exe	104
PID 2732 wrote to memory of 2768	2732	RegAsm.exe	105
PID 2732 wrote to memory of 2768	2732	RegAsm.exe	105
PID 2732 wrote to memory of 2768	2732	RegAsm.exe	105
PID 2732 wrote to memory of 3952	2732	RegAsm.exe	107
PID 2732 wrote to memory of 3952	2732	RegAsm.exe	107
PID 2732 wrote to memory of 3952	2732	RegAsm.exe	107
PID 2732 wrote to memory of 4484	2732	RegAsm.exe	110
PID 2732 wrote to memory of 4484	2732	RegAsm.exe	110
PID 2732 wrote to memory of 4484	2732	RegAsm.exe	110
PID 2732 wrote to memory of 4924	2732	RegAsm.exe	111
PID 2732 wrote to memory of 4924	2732	RegAsm.exe	111
PID 2732 wrote to memory of 4924	2732	RegAsm.exe	111
PID 3992 wrote to memory of 2244	3992	RegAsm.exe	113
PID 3992 wrote to memory of 2244	3992	RegAsm.exe	113
PID 3992 wrote to memory of 2244	3992	RegAsm.exe	113
PID 2732 wrote to memory of 748	2732	RegAsm.exe	115
PID 2732 wrote to memory of 748	2732	RegAsm.exe	115
PID 2732 wrote to memory of 748	2732	RegAsm.exe	115
PID 3992 wrote to memory of 3344	3992	RegAsm.exe	118
PID 3992 wrote to memory of 3344	3992	RegAsm.exe	118
PID 3992 wrote to memory of 3344	3992	RegAsm.exe	118
PID 3992 wrote to memory of 4232	3992	RegAsm.exe	119
PID 3992 wrote to memory of 4232	3992	RegAsm.exe	119
PID 3992 wrote to memory of 4232	3992	RegAsm.exe	119

C:\Users\Admin\AppData\Local\Temp\conta_injector.exe
"C:\Users\Admin\AppData\Local\Temp\conta_injector.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\PerfWatson2.exe
  "C:\Users\Admin\AppData\Local\Temp\PerfWatson2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1660
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3952
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4924
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\InvidiaDriver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InvidiaDriver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3344
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "InvidiaDriver" /tr "C:\Users\Admin\AppData\Local\InvidiaDriver.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4232

C:\Users\Admin\AppData\Local\InvidiaDriver.exe
C:\Users\Admin\AppData\Local\InvidiaDriver.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\InvidiaDriver.exe
C:\Users\Admin\AppData\Local\InvidiaDriver.exe
1⤵
- Executes dropped EXE
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\InvidiaDriver.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InvidiaDriver.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9b2199efbd57a303067fbad9b9d1a011

SHA1
7c4a10d062566f4c8aab6eb04f99a1a302e4b3ea

SHA256
b46d082c246b2068a50d71ebcdf53c8c2f86c5dd7a81d6d150ab9609ebbac25f

SHA512
72c2f8d4702ba1876f625e4c6b981e09e0617c1543dd1197db4204bb5eaaed6d9d5a4b67a3968bde068062f0dcc179e7a44d7bb9829fba954ec62b1d9baa2867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f246dae985551b0483d373e8fd82dbcd

SHA1
6f7dfb18a6a672b157d2a390b9a2b348159ebd0e

SHA256
a7c893e34c08f48304904dcd5d6c803e979d13722c413bd965a95cb2e1c8e6b5

SHA512
85d6c65e47902825358b8e3c4f6da629f673ccee9fffe9ac7873df71cec9f66793fc3cd2ab27bf0ae46178d667f50ba8fc5c07bf10e217fac1b54279090386ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
4033874ec2efc071a91da12979976d24

SHA1
2af70d14231930d0aafef65f84970644cbcc789f

SHA256
8f5d1098ec59bbe19605474097df9e076bdc5f3cecd16f9322ea4fe5b087fd33

SHA512
218c31c5619c75d2220f446890f636827e7cfec108bbc0b454d7c497584b6337c9ed0feca25b30a0a0fa3b7fba056ba6a159101c8578bd9b69b6f10c4a2b9fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
15921e06a0a3d35e7841f2ad11316f02

SHA1
dfff61adc98f2199798641c662dab71bb9dab899

SHA256
c8ad245fd930827ee46ba2c91859f44e3d8f26dbddf4f8e45301d3145d5e9b7b

SHA512
f9e68021165553d1af9ca3c33ea2fb58f3385d86287e00e72905cef6d807c5fe47eea5a67f81f83a4495ecb421c20acc00f45807fa97dcdf3c86fb8835afb11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PerfWatson2.exe

Filesize
1.7MB

MD5
683c060ccca9ee3a5dad65946c8c9a88

SHA1
35a18395cd290cf377fe665aebdfb26e59869a5c

SHA256
ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a

SHA512
63ab8296b245430a3b13d7eea08d89845a32a8c14b7b88bc516a3b45192a2aa10abdd5e0d9483bc72c5f9b57b228ac498dd7166a54dcafefa630b364377063ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxkbpyvx.au3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94B4.tmp

Filesize
82KB

MD5
c38b245b97fea00a08141af793a76f87

SHA1
c9c5c786f8e8d3c5670ef64f4f3ae35c556bb640

SHA256
b6647006cf5e920db52c66a2028f2492df03c4deceda32fb021ebe4126bfe261

SHA512
6d4a19aff6c2999f2369ae8831a8208aeefcb6fe7620a86bd8343690a155c055d0327ec4b42af3929fd6997ad5ce28d0e7f9a980567b244f3e373409cf2e5d38

Download Submit
memory/1660-90-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/1660-89-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/1660-86-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1660-120-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1692-14-0x0000000000120000-0x00000000002E0000-memory.dmp

Filesize
1.8MB

Download
memory/1692-27-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1692-16-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2656-2-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/2656-20-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2656-0-0x0000000000B10000-0x0000000000DBE000-memory.dmp

Filesize
2.7MB

Download
memory/2656-1-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2656-17-0x00000000064A0000-0x00000000064A8000-memory.dmp

Filesize
32KB

Download
memory/2656-15-0x0000000006470000-0x0000000006480000-memory.dmp

Filesize
64KB

Download
memory/2712-116-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

Filesize
40KB

Download
memory/2712-64-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2712-127-0x0000000007F80000-0x0000000007F9A000-memory.dmp

Filesize
104KB

Download
memory/2712-132-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2712-123-0x0000000007E80000-0x0000000007E94000-memory.dmp

Filesize
80KB

Download
memory/2712-112-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

Filesize
120KB

Download
memory/2712-93-0x0000000070600000-0x000000007064C000-memory.dmp

Filesize
304KB

Download
memory/2712-121-0x0000000007E70000-0x0000000007E7E000-memory.dmp

Filesize
56KB

Download
memory/2712-91-0x0000000006F30000-0x0000000006F62000-memory.dmp

Filesize
200KB

Download
memory/2712-84-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/2712-65-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/2712-118-0x0000000007E40000-0x0000000007E51000-memory.dmp

Filesize
68KB

Download
memory/2712-66-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/2712-129-0x0000000007F60000-0x0000000007F68000-memory.dmp

Filesize
32KB

Download
memory/2712-92-0x000000007F530000-0x000000007F540000-memory.dmp

Filesize
64KB

Download
memory/2712-115-0x0000000008280000-0x00000000088FA000-memory.dmp

Filesize
6.5MB

Download
memory/2712-114-0x0000000007B40000-0x0000000007BE3000-memory.dmp

Filesize
652KB

Download
memory/2732-117-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/2732-88-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2732-29-0x00000000061D0000-0x0000000006220000-memory.dmp

Filesize
320KB

Download
memory/2732-28-0x0000000006150000-0x00000000061C6000-memory.dmp

Filesize
472KB

Download
memory/2732-26-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2732-25-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/2732-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-30-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/2732-124-0x00000000067C0000-0x00000000067CA000-memory.dmp

Filesize
40KB

Download
memory/2732-125-0x00000000067F0000-0x0000000006802000-memory.dmp

Filesize
72KB

Download
memory/3108-31-0x0000000002780000-0x00000000027B6000-memory.dmp

Filesize
216KB

Download
memory/3108-54-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/3108-83-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3108-80-0x0000000007670000-0x0000000007C14000-memory.dmp

Filesize
5.6MB

Download
memory/3108-79-0x00000000065E0000-0x0000000006602000-memory.dmp

Filesize
136KB

Download
memory/3108-78-0x0000000006590000-0x00000000065AA000-memory.dmp

Filesize
104KB

Download
memory/3108-77-0x0000000007020000-0x00000000070B6000-memory.dmp

Filesize
600KB

Download
memory/3108-67-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/3108-34-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/3108-62-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/3108-61-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/3108-60-0x0000000005AF0000-0x0000000005E44000-memory.dmp

Filesize
3.3MB

Download
memory/3108-55-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/3108-33-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/3108-48-0x0000000005320000-0x0000000005342000-memory.dmp

Filesize
136KB

Download
memory/3108-35-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/3108-32-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3992-87-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3992-63-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/3992-22-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/3992-21-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3992-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-133-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4872-135-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4872-134-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4872-141-0x0000000006160000-0x00000000064B4000-memory.dmp

Filesize
3.3MB

Download