Analysis Overview
SHA256
cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651
Threat Level: Known bad
The file cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Drops startup file
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 09:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 09:55
Reported
2024-05-31 09:57
Platform
win7-20231129-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2468 set thread context of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"
C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"
C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Network
| Country | Destination | Domain | Proto |
| DE | 104.250.180.178:7061 | tcp |
Files
memory/2468-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp
memory/2468-1-0x0000000000350000-0x00000000003D4000-memory.dmp
memory/2468-2-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/2468-3-0x00000000003E0000-0x00000000003F8000-memory.dmp
memory/2468-4-0x0000000000300000-0x0000000000310000-memory.dmp
memory/2468-5-0x0000000000620000-0x0000000000676000-memory.dmp
memory/2040-8-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2040-6-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2040-7-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2040-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2040-12-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2040-9-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2040-16-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2040-14-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2468-17-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/2040-18-0x0000000073FD0000-0x00000000746BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 8ca155ba5aac2806de53c05a50ec0bee |
| SHA1 | 9118de1221c5a4240190f516a1d4c5ca5fe09582 |
| SHA256 | 5c91fb2eaba32941db2888619d60f5501ef4911c49a62d752d3fc74a10ca1d38 |
| SHA512 | ba8ab5365f58cbff92215ddee837c99c0df2e0cc380417cec5b48a1feca13ad2e227a4309e5ed62bf3f879a7fcb0aea5df9461d770062a2f31dc6fd80c461153 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | ff3aea929347d0168b02de5d2c2bcec3 |
| SHA1 | fd7eaa628f424fc1384bcbd926a551c8e60740db |
| SHA256 | cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651 |
| SHA512 | c5ba038472b25fa013852b57fa712a286e56a85f015b68c5e7da72ed403aa0b896deb6583407894ae76dc59e90c475a161504d55202b4b7fe774732b22793c3b |
memory/2040-42-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/2040-43-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/2040-44-0x0000000073FD0000-0x00000000746BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 09:55
Reported
2024-05-31 09:57
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3368 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"
C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 104.250.180.178:7061 | tcp | |
| US | 8.8.8.8:53 | 178.180.250.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.98.74.40.in-addr.arpa | udp |
Files
memory/3368-0-0x00000000751BE000-0x00000000751BF000-memory.dmp
memory/3368-1-0x0000000000A30000-0x0000000000AB4000-memory.dmp
memory/3368-2-0x0000000005AE0000-0x0000000006084000-memory.dmp
memory/3368-3-0x0000000005530000-0x00000000055C2000-memory.dmp
memory/3368-4-0x00000000054A0000-0x00000000054AA000-memory.dmp
memory/3368-6-0x00000000057A0000-0x000000000583C000-memory.dmp
memory/3368-5-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/3368-7-0x0000000006E00000-0x0000000006E18000-memory.dmp
memory/3368-8-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/3368-9-0x00000000069A0000-0x00000000069F6000-memory.dmp
memory/2988-10-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2988-12-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/3368-13-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/4552-14-0x00000000022E0000-0x0000000002316000-memory.dmp
memory/4552-15-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/4552-16-0x0000000004E50000-0x0000000005478000-memory.dmp
memory/4552-17-0x00000000751B0000-0x0000000075960000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmuyuh4y.gnm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4552-25-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/4552-24-0x0000000005520000-0x0000000005586000-memory.dmp
memory/4552-18-0x0000000005480000-0x00000000054A2000-memory.dmp
memory/4552-30-0x0000000005830000-0x0000000005B84000-memory.dmp
memory/4552-31-0x0000000005BB0000-0x0000000005BCE000-memory.dmp
memory/4552-32-0x0000000005C00000-0x0000000005C4C000-memory.dmp
memory/4552-33-0x0000000006160000-0x0000000006192000-memory.dmp
memory/4552-34-0x00000000707D0000-0x000000007081C000-memory.dmp
memory/4552-44-0x0000000006140000-0x000000000615E000-memory.dmp
memory/4552-45-0x0000000006DC0000-0x0000000006E63000-memory.dmp
memory/4552-46-0x0000000007520000-0x0000000007B9A000-memory.dmp
memory/4552-47-0x0000000006EE0000-0x0000000006EFA000-memory.dmp
memory/4552-48-0x0000000006F50000-0x0000000006F5A000-memory.dmp
memory/4552-49-0x0000000007160000-0x00000000071F6000-memory.dmp
memory/4552-50-0x00000000070E0000-0x00000000070F1000-memory.dmp
memory/4552-51-0x0000000007110000-0x000000000711E000-memory.dmp
memory/4552-52-0x0000000007120000-0x0000000007134000-memory.dmp
memory/4552-53-0x0000000007220000-0x000000000723A000-memory.dmp
memory/4552-54-0x0000000007200000-0x0000000007208000-memory.dmp
memory/4552-57-0x00000000751B0000-0x0000000075960000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 720f7e6ca810308ec5986675e542399e |
| SHA1 | e20b68c44239f5ab703538f62a8d69e24eb07016 |
| SHA256 | de0bcecb4f8b20ea8e24f70befc036d9a19c5cbbf6072f33ec08cfd44fa4fcd2 |
| SHA512 | 595e0eb098fcc24f1da2cc5775b40fb323c6bdca82ebf68f8b5cc94814722c29534ea2ca4ab33a464b07d7a175261440dc9558173469c67b072a0f221e82c165 |
memory/4256-69-0x00000000707D0000-0x000000007081C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3f878d345a4ce190710d10bbb021ccf6 |
| SHA1 | db18415c1de418009815c5393dfd99e829f1e1d9 |
| SHA256 | 7b9e9900b1ad8009093e9a433d73ae5ed663aca470dab80f796bace0657c4858 |
| SHA512 | e72636623be4f388ccada2df7384ec10a45bf9cf5fa91c2051fb94ad904fd5b8d157254301f80f4381c30c8bb957b8ee0d0cb9a0fd5e268405ee11e2daeea71a |
memory/1656-90-0x00000000707D0000-0x000000007081C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ee8cf32a0b583bb095140040155089e |
| SHA1 | 61c929eaa871189e037a8aeb0ca364c70ec1a40b |
| SHA256 | 5b45bbd8650cdd421d2fc6d0affabc9e1416ba147f50021fd5df1fc468c6f7c6 |
| SHA512 | 6fefefa199944acdd2d0b4a6f3e3debc756500e39bb632716d0fd6d2294b9ed4cb41f642b6721c1b6afff2c2147ac4b0b77f02495680ff13be8956bbd368b637 |
memory/1688-111-0x00000000707D0000-0x000000007081C000-memory.dmp
memory/2988-126-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/2988-127-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/2988-128-0x00000000751B0000-0x0000000075960000-memory.dmp