Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2023 11:56

General

  • Target

    484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe

  • Size

    1.3MB

  • MD5

    ef06d812abe0ff2861061f6a26511873

  • SHA1

    03d1777b12c7064c5e42103526da3c2655cc022e

  • SHA256

    484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b

  • SHA512

    84a819cab165b3f1f65dd7c4063c2b994e7422ef1d86788fcdb0481f8ff116e1a6cf5ccbcfdf4215c8b3779f4e24bbf06a6d1ee2bdb8841feae3bc83fd762550

  • SSDEEP

    12288:yNnfN08nbtPii3uu6VrkdwWX4dVpjhISG9GIWin3lu3V6GwRZR3aUSC9ZZWYXh:Al0mboWIdVpjhTGodi3xRT3aU5h

Score
10/10

Malware Config

Signatures

  • Detects HZRAT backdoor 1 IoCs
  • HZRAT

    HZRAT that is remotely accesses infected resources.

  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe
    "C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& {wmic bios get Manufacturer,name,ReleaseDate,SerialNumber /value}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" bios get Manufacturer,name,ReleaseDate,SerialNumber /value
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4672
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& {wmic BASEBOARD get manufacturer,product,version,SerialNumber /value}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" BASEBOARD get manufacturer,product,version,SerialNumber /value
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& {wmic computersystem get systemfamily,systemskunumber,model /value}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" computersystem get systemfamily,systemskunumber,model /value
        3⤵
          PID:2196
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "& {wmic DESKTOPMONITOR get Caption,PNPDeviceID /value}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          "C:\Windows\System32\Wbem\WMIC.exe" DESKTOPMONITOR get Caption,PNPDeviceID /value
          3⤵
            PID:1648
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -command "& {wmic IDECONTROLLER get name,DeviceID /value}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3872
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            "C:\Windows\System32\Wbem\WMIC.exe" IDECONTROLLER get name,DeviceID /value
            3⤵
              PID:1092
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "& {wmic MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value}"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:392
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              "C:\Windows\System32\Wbem\WMIC.exe" MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value
              3⤵
                PID:804
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "& {wmic PORTCONNECTOR get externalreferencedesignator /value}"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4284
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                "C:\Windows\System32\Wbem\WMIC.exe" PORTCONNECTOR get externalreferencedesignator /value
                3⤵
                  PID:2888
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "& {wmic SOUNDDEV get Name,Description,DeviceID /value}"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4860
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  "C:\Windows\System32\Wbem\WMIC.exe" SOUNDDEV get Name,Description,DeviceID /value
                  3⤵
                    PID:1476
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "& {Get-WmiObject -Class Win32_videocontroller | select-object description}"
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3472
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "& {wmic cpu get name,processorid /value}"
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:5000
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    "C:\Windows\System32\Wbem\WMIC.exe" cpu get name,processorid /value
                    3⤵
                      PID:4208
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -command "& {wmic DISKDRIVE get serialnumber /value}"
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1000
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      "C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get serialnumber /value
                      3⤵
                        PID:1988
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -command "& {wmic bios get SerialNumber /value}"
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4740
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        "C:\Windows\System32\Wbem\WMIC.exe" bios get SerialNumber /value
                        3⤵
                          PID:808
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -command "& {wmic DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value}"
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3176
                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                          "C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value
                          3⤵
                            PID:1180
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -command "& {$env:temp}"
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:952
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -command "& {echo $env:userprofile}"
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2140
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -command "& {reg export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\6027097068028388406.reg}"
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4172
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\system32\reg.exe" export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\6027097068028388406.reg
                            3⤵
                              PID:3588
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -command "& {whoami /user /nh}"
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1880
                            • C:\Windows\SysWOW64\whoami.exe
                              "C:\Windows\system32\whoami.exe" /user /nh
                              3⤵
                                PID:3464
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {Get-ChildItem -Recurse $env:userprofile'\Documents\NetSarang Computer\7\Xshell\Sessions' | Where-Object {$_.Name -like '*.xsh'} | Foreach-Object Name}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3156
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {gwmi -query 'select caption from win32_operatingsystem' | Select-Object -ExpandProperty caption}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1120
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {gwmi -query 'select model from win32_computersystem' | Select-Object -ExpandProperty model}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1584
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {pwd | select-object -expandproperty path}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3840
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {[System.Security.Principal.WindowsIdentity]::GetCurrent().Name}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3036
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {gwmi -query 'select * from win32_networkadapterconfiguration' | Select-Object -Property ipaddress,servicename,description}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4460
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {gwmi -query 'select macaddress,name from win32_networkadapter' | Select-Object -Property macaddress,name}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:928
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {gwmi -query 'select caption,name from win32_useraccount' | Select-Object -Property caption,name}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5052
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {gwmi -query 'select name,sessionid,processid from win32_process' | Select-Object -Property name,sessionid,processid}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4748
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {gwmi -query 'select * from win32_computersystem'}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2176
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {dir C:\Users\$([Environment]::UserName)\Desktop; dir C:\Users\Public\Desktop}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1356
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -command "& {wmic SYSDRIVER get name,caption /value}"
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3564
                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                "C:\Windows\System32\Wbem\WMIC.exe" SYSDRIVER get name,caption /value
                                3⤵
                                  PID:4940

                            Network

                            MITRE ATT&CK Matrix

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                              Filesize

                              1KB

                              MD5

                              33b19d75aa77114216dbc23f43b195e3

                              SHA1

                              36a6c3975e619e0c5232aa4f5b7dc1fec9525535

                              SHA256

                              b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

                              SHA512

                              676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              4550f17cc184b83e4898b47abdc4d502

                              SHA1

                              cea16d5f5382b04e3996eb6488a77308a234c656

                              SHA256

                              9951db546a173fb0414558dc3fdf0f755181ec1d53c2457f11713ed565aa3a4a

                              SHA512

                              4da69c8a60f8024eda2e5538e98b259558fc4e32f52499361b7c64e01f95f937010dd45a71d83124faf2e8f4b7e8ae188880cccccafc382e8af7f1fb50c580e0

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              a537fc0f2cf88915167b4159fbb1edc8

                              SHA1

                              29d145cff3be72800b6db24d5532bdc85739bf32

                              SHA256

                              691c172eb2632daa0eab35f4f02797f646b4bc1ef6194da878062b81aedf12d3

                              SHA512

                              e25269bf2497699274293fdfe0673e802058ac94fb953e4c4886c225c8d664e4a398e4dfe0c1bc6699b31b42aa58c4ea970b376e03cc3fd1ed23b8b592f55921

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              b59afabcc20aefe6861a7e394425fa8c

                              SHA1

                              d2b40942bbaef199398905692220e31a2ba00d1b

                              SHA256

                              324a3e9ff8415443d789c8d21638ebe0166f03933b2f52ae7acfb9976e141fe9

                              SHA512

                              cc1d1e40399044a26aed7cc76b757092734789aac72440cafeff4aeb367f5796484c2aec8062c33ddae7cc7fcc8b9c4d7a560868cf4c7396e5afc45c6b7509ba

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              58d91b822ee6d70f4f08db8f18115dcb

                              SHA1

                              5530b206a224038756c0818f0596a6c4d1c294fc

                              SHA256

                              534b4e9d439f934995d37d0fa3c5ddd95a5478076dde15960633b8800cadeebf

                              SHA512

                              871b859916587c9eef81e1fe87638e08d86a45042ff3ffe312ad9805966796ec59cdd6134709ae566d9f505d0d761db4769183c1924f74dd522691a7cd58e819

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              18KB

                              MD5

                              d03939957515b72d8f724a773e7718ca

                              SHA1

                              17dc7773d431c821d4dab7f4e10f23efacc2a770

                              SHA256

                              6105fbcb5e004d4017215dc21095467f0e94bb3bacfe5bee0e11a54922e3736e

                              SHA512

                              232eeb5af30305077cec739de8566146bf1c7ab0f846c57de874d512d24a0b854f8978891b60da4ee09d04b3b4a56d84b0fbb1c3e996af4a16404bf9a904d101

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              bd547797db56df2196992c4f2ec4f58a

                              SHA1

                              c83c74d0f8a8b7fe24d961eee6f4b5fc4bbcd1b7

                              SHA256

                              b2007bb211c44542d45fc0c7f8daa8469fc8c8387d1b9ac91bd89564e4eed6fd

                              SHA512

                              46db1588abec24fe6eb4197ef50df529bab6dee86379df4e1ff920bb2d4dead801859ec7b03ab7b9010571063ce3127d43e1cc7bcfd04e5a113034f0e3f7f3eb

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              19aad62a5a1b35b635188fbf30a95611

                              SHA1

                              d3d6e8a658c059d2b42b6748ef320d0790462852

                              SHA256

                              da25188e26c313bb3a322ec07c458ba6bcfeca849971847802c17d77e584860f

                              SHA512

                              fb1ccdca2e84d41fa421d4f1b21b8787e174cf2cb3d44510b8c5f187cfdabf4487fa09f153e5a800b683384a5deada171b2d5e00fe725128f14d680ad566aefe

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              4680f7ca641e9915eaaf88cb46ba1e5e

                              SHA1

                              a7908f8fabc55e6cd00e214087cc45a8630e1c49

                              SHA256

                              81245b841d2b9cf06c5a45b7b43f7cadbdfa62d3b59482ad848c5401b493bd2a

                              SHA512

                              d069ce5f80739050fde1df9afacfc87946c0e5d41f6c1afaf319e8f64bb51e29d911bfe2913fa0e9795ad1d413e295a26f3ac85f1c4976d8e0c14f2ca4d41205

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              fbc845dc26213ae557e1cd8adbcc6c60

                              SHA1

                              73e97520ca31087c58006afab2f45f8b1a0dcd93

                              SHA256

                              8306bc53b46e26abba8bdd61d5a283117f2531bf8618bfd6158522431c990578

                              SHA512

                              8056243518ef410e650a25f90e296481d9a4a5aa2e0ddc655309f689f9d7f272b593e34f1fae91bdb6302cee14b8ab802f85c2728fbd20a1098b3e2896709275

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              be766817c1752772ee0a6e126f93c059

                              SHA1

                              6b2617edbfe80f4cf0084d4dad614632980098cf

                              SHA256

                              f7247500baba07774271f5b63a27010667a8b89f705453982e5f4acc66144ee7

                              SHA512

                              663462548e130c3f2f01b459c3c97acfc60bb86a98f8d8a6e42ec6c79761207a801cc25f37c3643ff0e247e6b62146d046b050d69859828446492407b1ffe4d7

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              16KB

                              MD5

                              dd709c988a1b97838859d9d028c3b098

                              SHA1

                              7f30dbf692537e330f7c5b56e9c786a94ade9879

                              SHA256

                              68f79f81142776de1c2d17da7f92db4449c3193b906983b136b24741654e5b61

                              SHA512

                              100aed2ca0e62aa21bf05cf936983a9db6be3506cee757cb3b81b24af129c85accd7a525bec49cfefa3bef8aa80be50c478f8e879fc2f4ff1d9db3c8cd5e51a2

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              f3c988403fe4946970824ac9e4aa4da6

                              SHA1

                              6b1c096a8fad48352f8dee14d8ad84d1bc921171

                              SHA256

                              d3e3b3f43a7f6253f946e9bd7245078116ed3b2624e3addfeaa7032a5ce96466

                              SHA512

                              1f9f83e6540f976cbdbb106322fe592ebc2e0ed8472dd291a89249309b0d9c60d5c3e4c7ac16967b3ef1f56d462fd71320202477b087eb6c17dd581a538ec0ae

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              55be8d780300efa22d6d07109cd56161

                              SHA1

                              2460fe40a6914fa0eee8e41319032ce6511c2d55

                              SHA256

                              960de777825810fb5ed2ab81755cb0cc4e885374de155213dc44d557602ac9c9

                              SHA512

                              6f02541154f0be75d97ee780aae7187c7db9a78a2d9b9c32059555868d2bafe5baee8a0b43c0d9273912587d199ca7b4f8f184fc89b7fe8f6f21694cda709a37

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              18KB

                              MD5

                              3f2495ada7ecb947fa66008ffd1e1c84

                              SHA1

                              c36d03540b7c5992efc0b46fdd86d124a391b0a3

                              SHA256

                              952d9d871af874bd328f713cd7e3593abac9a2debd3c930d3774e4c2dca1c5dc

                              SHA512

                              699c46af6a4f884c01ac36fd57775435cff4a71b752f5b7553032f9721185ea3898058abb229ba2c8c70b899c3464d5f670bc1e0eb936bed85c0cf449f387919

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              17KB

                              MD5

                              ae455afce1974fec805e782867977911

                              SHA1

                              410091ce427de68de61bc403ab102c9e74550141

                              SHA256

                              afcead94e06036ba75905765d98dd583d845e104d53c7c2ddf8aa58bf2568b7e

                              SHA512

                              ea62db9af4eb9b9ab0cf200b56a348d2a2e78de1be15ae48eff802846de3f996cb7b38e837e075b50d6d4c2a2d519ce0f3d17728292cb98e5d2c864ac5100e8d

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              17KB

                              MD5

                              d2292ad5bdce6943a284244d6eacdedb

                              SHA1

                              a2d3c7e5cb8b8b75e1b4efbf9938c11950bf74d6

                              SHA256

                              87e808be444be73c9d0d6c77ff19b0adbfa00f99e555806ba49a7358ca9fcb09

                              SHA512

                              8fdcde02724e3614fa7cea249f05c6a01c618b25efa94bdf8ff9d230e745ab084f8f088e51b0157f0612b59d96b7ef95b668232cf931b222e2235acf0d1fddc3

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              16KB

                              MD5

                              2a3f3249ff93284db512918dfa7b2a60

                              SHA1

                              d9a66a7042d04c47167fd01a5d8d016c700235d7

                              SHA256

                              c09d0773bdcdc5f6ded3d3d7dd4f54cff2e0eb77fe263c24acb96af4a92a59b7

                              SHA512

                              88c3297a69aa7623487fd315509cd8fdaffe38111f6679445d329c69e75d0e8e5dffe26bed51e2105c4ffe79f30988a2f608c34c8acf1a28de471bd3b7775aee

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              12KB

                              MD5

                              4caf60651e2e7ca7d19a8f8ee688ab04

                              SHA1

                              409b8681a9787fc8b74c1f8bff66a00e3eba062b

                              SHA256

                              ae75465e234dd0e76164558bf387bbab66ca006de646ec906bae29cb572730f3

                              SHA512

                              d3cb97e41659096a621735225518cd9f374fb97023cfd04e3c7d189a9813ae5bcf6db0a24a19aa0afc957c53630f407c9be9d4cf7464710cfa8fac5b2338067c

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              18KB

                              MD5

                              c2d2e4045d1ac2813a5e00814cc6a22c

                              SHA1

                              405cf3fbaf4d7725a155fcc0d1e3e8a9dba0f98d

                              SHA256

                              8bc827b6c990276c034fab1835c07706c86fc9405f136dc81127c013537335e6

                              SHA512

                              808766f810d1588142453044f31f293cb20654d61dd15219a326823ecb097a850c7d7f9b2cc62e9223013e02299f2c670a86a9b6fbfcbb3083d42907645749a3

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              18KB

                              MD5

                              262656f9ae644078b3aee059238f0c2b

                              SHA1

                              b062410add6b463bbce893acba38199cb66962e0

                              SHA256

                              9dd9b495e55d431644be0bfac36f41d1729f0331fdc77a50e03fa7d18fcb0b16

                              SHA512

                              b7d3bf6ddad9e3a1a31ca4888832dddd273dc871d24e9527b2ed6f35ef29dccf3743c0e2651f3da99a751f40d4f4db4ca97e2dab94b23e015f2bb1eb874c529d

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              18KB

                              MD5

                              a4d487f4cc09cec76a5e16039f5d6253

                              SHA1

                              6bd520f9f1224631c4cf55f28519f8a8c67e1f21

                              SHA256

                              d68bf847e1756de83ce7de9b9f85244a41e5a74c17def76fdb00f078018f4290

                              SHA512

                              51c760352361069dd816a86e6ab615c672e7707876a67239f707c78bb8134de13331405c1b7dbce6719a79e46039fce73305bce14a6b44bc363d39c316de101b

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              04e2e659d69fdef012a9ec9f45f7c59f

                              SHA1

                              40f917020b1aa6b6a0bdc9b694bc4919207b9a4e

                              SHA256

                              4c300e3e2d33b2c89ec9cd2375131cb8002950b62f5c2ff90a79586e4920676d

                              SHA512

                              ec39a23f72a575bc796c1adc90e0495e4505aaae4379220d28a0f19eb8b76f2edb41acb219286c04969e7c4f548ea0eee77f1be9d9990492676fd6024ebaf369

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              18KB

                              MD5

                              5001a62db4bae6f9a8f62b5bac2ea568

                              SHA1

                              1d3d1e9b5c91ddc3cb2f44c4c494c6f7991e7e12

                              SHA256

                              9913914f4dc31e4a2af68eb1a372ac61624806f6e76c5a9f5517384717bf3452

                              SHA512

                              fa742bfe076e487391d21ac7d3c892451d89c2a099f06b0187462e87e231810d2276b46147f9bfe8a5d51ee63e9f92ed732cf27a0e27cf0d5bf4f771f8af0fc2

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              17KB

                              MD5

                              50ea1ad79e90d0080c3cf060479746e9

                              SHA1

                              6552e9431135747590589866cfc4d9f7a6ee0211

                              SHA256

                              e0fd8f9a894593e0f3f29e7b74981dd8868c6ea91c11a490d8898542448c7137

                              SHA512

                              2088f32cccbff135ec7437b40954f26329d05e7bdb425917e856a2adcde4fc81fac45f10109932a5fc9da8391b29896f669905164f5541a0e70b300ac39dd335

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              17KB

                              MD5

                              0c6bc7823d33a82b0cdd18bf91f71d95

                              SHA1

                              449b6806ae136b8052627f40963f45f0f4e158ef

                              SHA256

                              0bda584e6c3191184c0c7e7f77588e173ba93add2e939df9288c60faef571247

                              SHA512

                              2855b0895ffc9709ff66f9ff560cfd04c0b4fa207b1b3fbe4d877cd96e76bf18e952e28a4491f28c9e94213a7799403124afb3e6bd61d38cde36717e97647754

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              c3a358751b4d8e802cebe7a1dfca4ea6

                              SHA1

                              9cc135ad7ba31b87e0e291c0c6d0efc4c682506c

                              SHA256

                              a3a2baedc6063ebc07897e6215413455b7d356dcdcc886edd162f0e784f87307

                              SHA512

                              6f9e0ae070da6c6409ebccdf641cd3754bec129404f51c13b7b445d7bc6c10d360aee2aba53f9aff20ed8e99091aecb585445599c8b1b490a3c10bccab861b10

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              0fb98fec27ebd0fc416f324b0618cdb9

                              SHA1

                              534bdb9a93be47095f2e653008aa44c8ded71045

                              SHA256

                              f5dfb1b64747f5eea12713f0d5f9632acdd1a46e99cbc66194e54c42155772a5

                              SHA512

                              0eb236a7b289989654255a0b20fc34a4b8c8f386452c4e487722cd256b8f7e5dffcba2e252a4aad379521b80416972191c0728fdeb8e5cab696c63b4f94e461d

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              11KB

                              MD5

                              593dbcb69692d4cec583d274ecc39d82

                              SHA1

                              52ebcf7cccc1dce2020fb59b93e976595b804717

                              SHA256

                              1c9158ff9eadaf02f00698ddb3ee453b0233cbc2336737add592cfeda6c9b7f4

                              SHA512

                              0540885e89bf55dee893530eff7ba4fa165eae19078898d290eae6f502fdf37276c4236ccb344ca5efecfce24f6748d88e845a821c44275f563271e753b3479c

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kqvh14ev.3js.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • memory/392-110-0x0000000003470000-0x0000000003480000-memory.dmp

                              Filesize

                              64KB

                            • memory/392-96-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/392-97-0x0000000003470000-0x0000000003480000-memory.dmp

                              Filesize

                              64KB

                            • memory/392-98-0x0000000003470000-0x0000000003480000-memory.dmp

                              Filesize

                              64KB

                            • memory/392-111-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/1176-10-0x00000000057D0000-0x0000000005836000-memory.dmp

                              Filesize

                              408KB

                            • memory/1176-3-0x0000000002FE0000-0x0000000003016000-memory.dmp

                              Filesize

                              216KB

                            • memory/1176-21-0x00000000061F0000-0x0000000006544000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/1176-9-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/1176-8-0x0000000005730000-0x0000000005752000-memory.dmp

                              Filesize

                              136KB

                            • memory/1176-7-0x00000000058A0000-0x0000000005EC8000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/1176-6-0x0000000005260000-0x0000000005270000-memory.dmp

                              Filesize

                              64KB

                            • memory/1176-5-0x0000000005260000-0x0000000005270000-memory.dmp

                              Filesize

                              64KB

                            • memory/1176-22-0x00000000066F0000-0x000000000670E000-memory.dmp

                              Filesize

                              120KB

                            • memory/1176-16-0x0000000005FC0000-0x0000000006026000-memory.dmp

                              Filesize

                              408KB

                            • memory/1176-4-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/1176-23-0x0000000006720000-0x000000000676C000-memory.dmp

                              Filesize

                              304KB

                            • memory/1176-24-0x0000000005260000-0x0000000005270000-memory.dmp

                              Filesize

                              64KB

                            • memory/1176-25-0x0000000005260000-0x0000000005270000-memory.dmp

                              Filesize

                              64KB

                            • memory/1176-28-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/1800-2-0x0000000000750000-0x00000000008F6000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/1800-0-0x0000000000750000-0x00000000008F6000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/1800-1-0x0000000002A40000-0x0000000002A73000-memory.dmp

                              Filesize

                              204KB

                            • memory/2756-31-0x00000000024A0000-0x00000000024B0000-memory.dmp

                              Filesize

                              64KB

                            • memory/2756-46-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2756-44-0x00000000024A0000-0x00000000024B0000-memory.dmp

                              Filesize

                              64KB

                            • memory/2756-42-0x0000000005750000-0x0000000005AA4000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/2756-32-0x00000000024A0000-0x00000000024B0000-memory.dmp

                              Filesize

                              64KB

                            • memory/2756-30-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3472-160-0x0000000006A40000-0x0000000006A62000-memory.dmp

                              Filesize

                              136KB

                            • memory/3472-161-0x0000000007ED0000-0x0000000008474000-memory.dmp

                              Filesize

                              5.6MB

                            • memory/3472-162-0x0000000008B00000-0x000000000917A000-memory.dmp

                              Filesize

                              6.5MB

                            • memory/3472-159-0x00000000069F0000-0x0000000006A0A000-memory.dmp

                              Filesize

                              104KB

                            • memory/3472-147-0x0000000005060000-0x0000000005070000-memory.dmp

                              Filesize

                              64KB

                            • memory/3472-158-0x0000000007880000-0x0000000007916000-memory.dmp

                              Filesize

                              600KB

                            • memory/3472-145-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3472-146-0x0000000005060000-0x0000000005070000-memory.dmp

                              Filesize

                              64KB

                            • memory/3872-95-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3872-80-0x0000000004F50000-0x0000000004F60000-memory.dmp

                              Filesize

                              64KB

                            • memory/3872-79-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3872-81-0x0000000004F50000-0x0000000004F60000-memory.dmp

                              Filesize

                              64KB

                            • memory/3872-91-0x0000000005E60000-0x00000000061B4000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/3872-94-0x0000000004F50000-0x0000000004F60000-memory.dmp

                              Filesize

                              64KB

                            • memory/4284-113-0x0000000005350000-0x0000000005360000-memory.dmp

                              Filesize

                              64KB

                            • memory/4284-126-0x0000000005350000-0x0000000005360000-memory.dmp

                              Filesize

                              64KB

                            • memory/4284-127-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4284-112-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4284-114-0x0000000005350000-0x0000000005360000-memory.dmp

                              Filesize

                              64KB

                            • memory/4548-61-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4548-47-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4548-48-0x00000000051B0000-0x00000000051C0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4548-60-0x00000000051B0000-0x00000000051C0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4860-144-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4860-143-0x0000000002C00000-0x0000000002C10000-memory.dmp

                              Filesize

                              64KB

                            • memory/4860-131-0x0000000005F70000-0x00000000062C4000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/4860-129-0x0000000002C00000-0x0000000002C10000-memory.dmp

                              Filesize

                              64KB

                            • memory/4860-130-0x0000000002C00000-0x0000000002C10000-memory.dmp

                              Filesize

                              64KB

                            • memory/4860-128-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4920-63-0x0000000005390000-0x00000000053A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4920-62-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4920-64-0x0000000005390000-0x00000000053A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4920-70-0x0000000006210000-0x0000000006564000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/4920-76-0x0000000005390000-0x00000000053A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4920-78-0x00000000746C0000-0x0000000074E70000-memory.dmp

                              Filesize

                              7.7MB