xworm | ca93416a5406c488c52fdda404b872f0da81f9a8459f4d4ae4cebe6541d22e85

Analysis

max time kernel
38s
max time network
41s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExperienceCheat.exe
Size

62.0MB
MD5

a2758f6c3f1a1d68731991792a711dd0
SHA1

e2ef709aaa1d88792d54b8cf05b9b3c3033b3409
SHA256

ca93416a5406c488c52fdda404b872f0da81f9a8459f4d4ae4cebe6541d22e85
SHA512

9fcd549b1dd8bced2b1f843272a8d923322a3ff4eef05d3bf8fb7a5cfd4328a36192c04eb1e6e16d799cefb461256cd8fdb772bbb251e94e44338c242d463103
SSDEEP

1536:YkeHtRfrimdNmkKZr311OGAiQj39IdcCqcAP69nQ:oHtRp6r311RAzj390VAP69Q

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:38492

warning-ms.gl.at.ply.gg:38492

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001d00000002aa57-21.dat	family_xworm
behavioral2/memory/4488-29-0x0000000000FD0000-0x0000000000FEC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4488	Nursultan.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2532	powershell.exe
2532	powershell.exe
1688	msedge.exe
1688	msedge.exe
2192	msedge.exe
2192	msedge.exe
3940	identity_helper.exe
3940	identity_helper.exe
888	msedge.exe
888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	4488	Nursultan.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2532	4512	ExperienceCheat.exe	81
PID 4512 wrote to memory of 2532	4512	ExperienceCheat.exe	81
PID 4512 wrote to memory of 4488	4512	ExperienceCheat.exe	83
PID 4512 wrote to memory of 4488	4512	ExperienceCheat.exe	83
PID 1688 wrote to memory of 4404	1688	msedge.exe	91
PID 1688 wrote to memory of 4404	1688	msedge.exe	91
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 1044	1688	msedge.exe	92
PID 1688 wrote to memory of 2192	1688	msedge.exe	93
PID 1688 wrote to memory of 2192	1688	msedge.exe	93
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94
PID 1688 wrote to memory of 1556	1688	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\ExperienceCheat.exe
"C:\Users\Admin\AppData\Local\Temp\ExperienceCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5daf3cb8,0x7fff5daf3cc8,0x7fff5daf3cd8
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15424151895459751398,11286222700975051652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0d89558356758b23d6f6c127ad8ab874

SHA1
2345c39d2af5172fc5451efcb87e9405ae1e4643

SHA256
113140e90bab7ffb21c41bd2d0692843c240bd984b8f6bf4daaa3a9cacc5e260

SHA512
92ca78dbdf9943fb04aeb4222185895c9887ff8a7d03b04e410b539b527364d9fc38865954b1d42a8c1286330b1e89f823cbc4e646ff27abd6546937c0717453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32e14c8b9bd2b432f16ebfb2c6fcba1a

SHA1
96859d87fd5eb6e490966c0bf9ba85c13288e4bb

SHA256
71e3df6c0327e15e27c07ea2997ddc5ff47d7b72fdc0054ce2925a24c45800c0

SHA512
d01aeac1e26ec45ecf5eedd0de69b6afd7739bff1ea2550ae15c6191499d441b91112d7264444ffba55d0dbd7bb0b9d62d3b87397a06c1b1ef75989231885b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7ca653cc63896a448b1c91a68f421a20

SHA1
21ebacf92bbe3270c4d791a21d69606310db175d

SHA256
9d691fab58ad6eeae45e5307b1d0adee3b8d283e33f9cb8c2b06ffe60d0b0242

SHA512
d214fc7360089f62de7838527554cec87f67b1fd5ac2b1036fc19685ca4aad5c4531860ab7ce56f8163a2b691167d9236dc36b43ccee92e7019a41b1321b5351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
87KB

MD5
38fc92faaaa97884e49674a2fb59dffa

SHA1
d2fdfcd6a426e4a0eb3dfc3b1c0d09ea0db945a2

SHA256
26d868f392303276bb62ce6771ec4bae63add8874e2621549d447490112ba992

SHA512
b8d4a64a9e02e96848d9285b3a6e7986cf4c54a520f75354008815790d7001361b3e570d9ff1c2d5e747ee1943b6bee791012120b536b06edb534aa76c445777

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_webrjyuk.o5a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2532-12-0x00007FFF4BB00000-0x00007FFF4C5C2000-memory.dmp

Filesize
10.8MB

Download
memory/2532-16-0x00007FFF4BB00000-0x00007FFF4C5C2000-memory.dmp

Filesize
10.8MB

Download
memory/2532-13-0x00007FFF4BB00000-0x00007FFF4C5C2000-memory.dmp

Filesize
10.8MB

Download
memory/2532-11-0x00007FFF4BB00000-0x00007FFF4C5C2000-memory.dmp

Filesize
10.8MB

Download
memory/2532-10-0x000001E04D910000-0x000001E04D932000-memory.dmp

Filesize
136KB

Download
memory/4488-29-0x0000000000FD0000-0x0000000000FEC000-memory.dmp

Filesize
112KB

Download
memory/4512-32-0x00007FFF4BB00000-0x00007FFF4C5C2000-memory.dmp

Filesize
10.8MB

Download
memory/4512-30-0x00007FFF4BB03000-0x00007FFF4BB05000-memory.dmp

Filesize
8KB

Download
memory/4512-28-0x00007FFF4BB00000-0x00007FFF4C5C2000-memory.dmp

Filesize
10.8MB

Download
memory/4512-0-0x00007FFF4BB03000-0x00007FFF4BB05000-memory.dmp

Filesize
8KB

Download
memory/4512-1-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download