umbral | 136cec1df46a4a97e2358e7b1ddcca2ec2853ecad6e004cbd959844d1e96d0e0

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fixxxx.exe
Size

1.1MB
MD5

656c98a712018e49c94e823f1f30d038
SHA1

f7400c9f13174b924c822871053fb1efa97a43b6
SHA256

136cec1df46a4a97e2358e7b1ddcca2ec2853ecad6e004cbd959844d1e96d0e0
SHA512

300b82e08c08391a369706a77907471527a6325909f64ed9c6e316b89f3e0659ddc0619bba1ee857f2b2a14865b3248161079e066ea6f3d6d340617f56a6a068
SSDEEP

24576:Ut9UwrSmTCEu3LIy+PtTFngKrh67y8pWaUTNTfkROL6bE:C9PWDIB5Fnfrx8W1hn/

Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

20.ip.gl.ply.gg:53765

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e886-141.dat	family_umbral
behavioral2/memory/760-148-0x000001F72C7F0000-0x000001F72C830000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5076-2-0x0000000000F30000-0x00000000012A4000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2248	powershell.exe
4584	powershell.exe
2792	powershell.exe
5008	powershell.exe
3300	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ffpint.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	fixxxx.exe

Executes dropped EXE 1 IoCs

pid	Process
760	ffpint.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	fixxxx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	discord.com
70	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe
5076	fixxxx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4504	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4812	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
5008	powershell.exe
5008	powershell.exe
5008	powershell.exe
3300	powershell.exe
3300	powershell.exe
3300	powershell.exe
2248	powershell.exe
2248	powershell.exe
2248	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	fixxxx.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	5076	fixxxx.exe
Token: SeDebugPrivilege	760	ffpint.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeIncreaseQuotaPrivilege	3592	wmic.exe
Token: SeSecurityPrivilege	3592	wmic.exe
Token: SeTakeOwnershipPrivilege	3592	wmic.exe
Token: SeLoadDriverPrivilege	3592	wmic.exe
Token: SeSystemProfilePrivilege	3592	wmic.exe
Token: SeSystemtimePrivilege	3592	wmic.exe
Token: SeProfSingleProcessPrivilege	3592	wmic.exe
Token: SeIncBasePriorityPrivilege	3592	wmic.exe
Token: SeCreatePagefilePrivilege	3592	wmic.exe
Token: SeBackupPrivilege	3592	wmic.exe
Token: SeRestorePrivilege	3592	wmic.exe
Token: SeShutdownPrivilege	3592	wmic.exe
Token: SeDebugPrivilege	3592	wmic.exe
Token: SeSystemEnvironmentPrivilege	3592	wmic.exe
Token: SeRemoteShutdownPrivilege	3592	wmic.exe
Token: SeUndockPrivilege	3592	wmic.exe
Token: SeManageVolumePrivilege	3592	wmic.exe
Token: 33	3592	wmic.exe
Token: 34	3592	wmic.exe
Token: 35	3592	wmic.exe
Token: 36	3592	wmic.exe
Token: SeIncreaseQuotaPrivilege	3592	wmic.exe
Token: SeSecurityPrivilege	3592	wmic.exe
Token: SeTakeOwnershipPrivilege	3592	wmic.exe
Token: SeLoadDriverPrivilege	3592	wmic.exe
Token: SeSystemProfilePrivilege	3592	wmic.exe
Token: SeSystemtimePrivilege	3592	wmic.exe
Token: SeProfSingleProcessPrivilege	3592	wmic.exe
Token: SeIncBasePriorityPrivilege	3592	wmic.exe
Token: SeCreatePagefilePrivilege	3592	wmic.exe
Token: SeBackupPrivilege	3592	wmic.exe
Token: SeRestorePrivilege	3592	wmic.exe
Token: SeShutdownPrivilege	3592	wmic.exe
Token: SeDebugPrivilege	3592	wmic.exe
Token: SeSystemEnvironmentPrivilege	3592	wmic.exe
Token: SeRemoteShutdownPrivilege	3592	wmic.exe
Token: SeUndockPrivilege	3592	wmic.exe
Token: SeManageVolumePrivilege	3592	wmic.exe
Token: 33	3592	wmic.exe
Token: 34	3592	wmic.exe
Token: 35	3592	wmic.exe
Token: 36	3592	wmic.exe
Token: SeIncreaseQuotaPrivilege	1692	wmic.exe
Token: SeSecurityPrivilege	1692	wmic.exe
Token: SeTakeOwnershipPrivilege	1692	wmic.exe
Token: SeLoadDriverPrivilege	1692	wmic.exe
Token: SeSystemProfilePrivilege	1692	wmic.exe
Token: SeSystemtimePrivilege	1692	wmic.exe
Token: SeProfSingleProcessPrivilege	1692	wmic.exe
Token: SeIncBasePriorityPrivilege	1692	wmic.exe
Token: SeCreatePagefilePrivilege	1692	wmic.exe
Token: SeBackupPrivilege	1692	wmic.exe
Token: SeRestorePrivilege	1692	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5076	fixxxx.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 5008	5076	fixxxx.exe	93
PID 5076 wrote to memory of 5008	5076	fixxxx.exe	93
PID 5076 wrote to memory of 5008	5076	fixxxx.exe	93
PID 5076 wrote to memory of 3300	5076	fixxxx.exe	101
PID 5076 wrote to memory of 3300	5076	fixxxx.exe	101
PID 5076 wrote to memory of 3300	5076	fixxxx.exe	101
PID 5076 wrote to memory of 2248	5076	fixxxx.exe	105
PID 5076 wrote to memory of 2248	5076	fixxxx.exe	105
PID 5076 wrote to memory of 2248	5076	fixxxx.exe	105
PID 5076 wrote to memory of 4584	5076	fixxxx.exe	109
PID 5076 wrote to memory of 4584	5076	fixxxx.exe	109
PID 5076 wrote to memory of 4584	5076	fixxxx.exe	109
PID 5076 wrote to memory of 760	5076	fixxxx.exe	116
PID 5076 wrote to memory of 760	5076	fixxxx.exe	116
PID 760 wrote to memory of 4312	760	ffpint.exe	117
PID 760 wrote to memory of 4312	760	ffpint.exe	117
PID 760 wrote to memory of 2792	760	ffpint.exe	119
PID 760 wrote to memory of 2792	760	ffpint.exe	119
PID 760 wrote to memory of 3092	760	ffpint.exe	121
PID 760 wrote to memory of 3092	760	ffpint.exe	121
PID 760 wrote to memory of 728	760	ffpint.exe	123
PID 760 wrote to memory of 728	760	ffpint.exe	123
PID 760 wrote to memory of 4104	760	ffpint.exe	125
PID 760 wrote to memory of 4104	760	ffpint.exe	125
PID 760 wrote to memory of 3592	760	ffpint.exe	127
PID 760 wrote to memory of 3592	760	ffpint.exe	127
PID 760 wrote to memory of 1692	760	ffpint.exe	129
PID 760 wrote to memory of 1692	760	ffpint.exe	129
PID 760 wrote to memory of 3868	760	ffpint.exe	131
PID 760 wrote to memory of 3868	760	ffpint.exe	131
PID 760 wrote to memory of 4800	760	ffpint.exe	133
PID 760 wrote to memory of 4800	760	ffpint.exe	133
PID 760 wrote to memory of 4504	760	ffpint.exe	135
PID 760 wrote to memory of 4504	760	ffpint.exe	135
PID 760 wrote to memory of 2072	760	ffpint.exe	137
PID 760 wrote to memory of 2072	760	ffpint.exe	137
PID 2072 wrote to memory of 4812	2072	cmd.exe	139
PID 2072 wrote to memory of 4812	2072	cmd.exe	139

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4312	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\fixxxx.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fixxxx.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fixxxx.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\ffpint.exe
  "C:\Users\Admin\AppData\Local\Temp\ffpint.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ffpint.exe"
    3⤵
    - Views/modifies file attributes
    PID:4312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ffpint.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4800
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4504
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ffpint.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3fecd1326c915ca032563f4f83816aa5

SHA1
332cb8f3d6f14fb1edd6633c5ea9db4cbdf25e8a

SHA256
36ff8c992d3a74ece29b1c001c75fe9512fadd5dc577799bd7b6635ea3314d91

SHA512
d2fea658ba679958a5a739013c092bc95bf70cb7e33093043b959bd743021a18ebc648114aba5c30fb960e3dd9869800a4c445b3ec90ad7d64380565030c55f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6c0faf4d2b068a1b9fabd11b525e0118

SHA1
e6eb5b232cbb9ef0ffdae6203b8959661fd255b9

SHA256
69fd471d7a5121390ed18b236e47e4c4860c27805878ee5da94017ee2c853177

SHA512
8c487bba3518e9876107c0461c48b2cacabd68ec30d84abbaeefe83ce335f9452fc7efb63a7fef4ee7a0aab4ebc6232e3a0a0d697278ad566d8260ac712b45be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6a29e9f9eb72c3bffbb054cd27e3ceea

SHA1
d38f7c2ad68dcf1d24deca9792256ff53d5218b2

SHA256
7a9f831f96b9e4843751dea3ed57ee11d70bb83a5970ddf9d6bd440f4def442c

SHA512
b4826f172c6ac60ad17412a634987c45640b1b8fe03aecba26510ae224685bcd571bc4b131724036e2b502b3a8198fb69414be8c72e46f833f0601a15d313430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2984662ba3f86d7fcf26758b5b76754d

SHA1
bc2a43ffd898222ee84406313f3834f226928379

SHA256
f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

SHA512
a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
047a6ace681f0332f50f9b733a4e5636

SHA1
7832a9382a86b8750252589f36332c93d220c002

SHA256
da4fccf3ae205aa090b0efe062dd5735a29669baa8ae1f5b7ad1c25f6c342a45

SHA512
52a47c740b5216b573caaca77b10a5db9d1a2b12cc84aacf54ec3f50ee633836ee834fcc1256de3765cd0fd863482fa2eb7d4275f2d3bc47a33a537946287001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0b95e5770936c502a42368f9b060d6e5

SHA1
ad12ff207a4722daf40314fa07a33e9469cff7f0

SHA256
c7b88ad95b501873d8fcbc6f8cccf3ec4e9c0e5e2cda918d72e95d49d7e4652a

SHA512
bdddb979d191210224918403a6980fa9f13eb48200fc1a6000a1917b8694926e8468acad4ed6782754dee602595855ab86a40ead9e5ba6603d438dc3a1911eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqyw11lm.i0d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffpint.exe

Filesize
231KB

MD5
cc9a35c145b9603d30c07fa7995390ea

SHA1
e4dd1a40aa0e5a1a7cfae14e76ebab05d51a0b69

SHA256
8a18073f8f287ccd1f0cf93ae325e84426073bfd07593ea736e7ec0bb9a35efe

SHA512
ee8145b5927c8395455a3ed7bf4f557a66035bdb7354d519045c51ce44a9b39922fa7b2288a6694cbc2a542c2f623ef309ff4d3f5029aea6ee94b9f005120b95

Download Submit
memory/760-148-0x000001F72C7F0000-0x000001F72C830000-memory.dmp

Filesize
256KB

Download
memory/760-213-0x000001F747110000-0x000001F747122000-memory.dmp

Filesize
72KB

Download
memory/760-176-0x000001F746CE0000-0x000001F746D56000-memory.dmp

Filesize
472KB

Download
memory/760-212-0x000001F72E4C0000-0x000001F72E4CA000-memory.dmp

Filesize
40KB

Download
memory/760-177-0x000001F746D60000-0x000001F746DB0000-memory.dmp

Filesize
320KB

Download
memory/760-178-0x000001F72E480000-0x000001F72E49E000-memory.dmp

Filesize
120KB

Download
memory/2248-82-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/2248-88-0x0000000070210000-0x000000007025C000-memory.dmp

Filesize
304KB

Download
memory/2792-149-0x000002ADD9080000-0x000002ADD90A2000-memory.dmp

Filesize
136KB

Download
memory/3300-76-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3300-65-0x0000000070210000-0x000000007025C000-memory.dmp

Filesize
304KB

Download
memory/3300-54-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3300-53-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3300-52-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/4584-100-0x0000000005D10000-0x0000000006064000-memory.dmp

Filesize
3.3MB

Download
memory/4584-111-0x0000000070210000-0x000000007025C000-memory.dmp

Filesize
304KB

Download
memory/5008-35-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/5008-10-0x0000000004C90000-0x0000000004CF6000-memory.dmp

Filesize
408KB

Download
memory/5008-47-0x0000000007090000-0x0000000007098000-memory.dmp

Filesize
32KB

Download
memory/5008-50-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/5008-45-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

Filesize
80KB

Download
memory/5008-44-0x0000000006FA0000-0x0000000006FAE000-memory.dmp

Filesize
56KB

Download
memory/5008-43-0x0000000006F70000-0x0000000006F81000-memory.dmp

Filesize
68KB

Download
memory/5008-42-0x0000000006FF0000-0x0000000007086000-memory.dmp

Filesize
600KB

Download
memory/5008-41-0x0000000006DE0000-0x0000000006DEA000-memory.dmp

Filesize
40KB

Download
memory/5008-39-0x0000000006D70000-0x0000000006D8A000-memory.dmp

Filesize
104KB

Download
memory/5008-40-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/5008-38-0x00000000073B0000-0x0000000007A2A000-memory.dmp

Filesize
6.5MB

Download
memory/5008-24-0x0000000070210000-0x000000007025C000-memory.dmp

Filesize
304KB

Download
memory/5008-37-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/5008-34-0x0000000006A10000-0x0000000006A2E000-memory.dmp

Filesize
120KB

Download
memory/5008-36-0x0000000006C30000-0x0000000006CD3000-memory.dmp

Filesize
652KB

Download
memory/5008-4-0x0000000002110000-0x0000000002146000-memory.dmp

Filesize
216KB

Download
memory/5008-5-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/5008-6-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/5008-7-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/5008-8-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/5008-9-0x0000000004C20000-0x0000000004C86000-memory.dmp

Filesize
408KB

Download
memory/5008-46-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/5008-20-0x0000000005470000-0x00000000057C4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-23-0x0000000006000000-0x0000000006032000-memory.dmp

Filesize
200KB

Download
memory/5008-22-0x0000000005A70000-0x0000000005ABC000-memory.dmp

Filesize
304KB

Download
memory/5008-21-0x0000000005A40000-0x0000000005A5E000-memory.dmp

Filesize
120KB

Download
memory/5076-134-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/5076-132-0x0000000007320000-0x00000000078C4000-memory.dmp

Filesize
5.6MB

Download
memory/5076-131-0x0000000006CD0000-0x0000000006D62000-memory.dmp

Filesize
584KB

Download
memory/5076-129-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/5076-125-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/5076-124-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/5076-121-0x0000000000F30000-0x00000000012A4000-memory.dmp

Filesize
3.5MB

Download
memory/5076-0-0x0000000000F30000-0x00000000012A4000-memory.dmp

Filesize
3.5MB

Download
memory/5076-3-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/5076-2-0x0000000000F30000-0x00000000012A4000-memory.dmp

Filesize
3.5MB

Download
memory/5076-1-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download