Analysis Overview
SHA256
484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b
Threat Level: Known bad
The file 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b was found to be: Known bad.
Malicious Activity Summary
Detects HZRAT backdoor
HZRAT
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-11-16 11:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-16 11:56
Reported
2023-11-16 11:58
Platform
win7-20231023-en
Max time kernel
87s
Max time network
98s
Command Line
Signatures
Detects HZRAT backdoor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
HZRAT
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe
"C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic bios get Manufacturer,name,ReleaseDate,SerialNumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" bios get Manufacturer name ReleaseDate SerialNumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic BASEBOARD get manufacturer,product,version,SerialNumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" BASEBOARD get manufacturer product version SerialNumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic computersystem get systemfamily,systemskunumber,model /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" computersystem get systemfamily systemskunumber model /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic DESKTOPMONITOR get Caption,PNPDeviceID /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" DESKTOPMONITOR get Caption PNPDeviceID /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic IDECONTROLLER get name,DeviceID /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" IDECONTROLLER get name DeviceID /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" MEMORYCHIP get capacity manufacturer partnumber SerialNumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic PORTCONNECTOR get externalreferencedesignator /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" PORTCONNECTOR get externalreferencedesignator /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic SOUNDDEV get Name,Description,DeviceID /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" SOUNDDEV get Name Description DeviceID /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {Get-WmiObject -Class Win32_videocontroller | select-object description}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic cpu get name,processorid /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" cpu get name processorid /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic DISKDRIVE get serialnumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get serialnumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic bios get SerialNumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" bios get SerialNumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get caption deviceid firmwarerevision interfacetype model pnpdeviceid serialnumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {$env:temp}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {echo $env:userprofile}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {reg export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\7729704568956112313.reg}"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\7729704568956112313.reg
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {whoami /user /nh}"
C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /user /nh
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {Get-ChildItem -Recurse $env:userprofile'\Documents\NetSarang Computer\7\Xshell\Sessions' | Where-Object {$_.Name -like '*.xsh'} | Foreach-Object Name}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select caption from win32_operatingsystem' | Select-Object -ExpandProperty caption}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select model from win32_computersystem' | Select-Object -ExpandProperty model}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {pwd | select-object -expandproperty path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.16.1.100:8081 | tcp | |
| CN | 220.168.209.150:8081 | tcp |
Files
memory/2760-0-0x0000000000B00000-0x0000000000CA6000-memory.dmp
memory/2760-1-0x0000000000110000-0x0000000000143000-memory.dmp
memory/2760-2-0x0000000000B00000-0x0000000000CA6000-memory.dmp
memory/2624-5-0x0000000073BB0000-0x000000007415B000-memory.dmp
memory/2624-6-0x0000000073BB0000-0x000000007415B000-memory.dmp
memory/2624-7-0x00000000023A0000-0x00000000023E0000-memory.dmp
memory/2624-8-0x00000000023A0000-0x00000000023E0000-memory.dmp
memory/2624-9-0x00000000023A0000-0x00000000023E0000-memory.dmp
memory/2624-10-0x0000000073BB0000-0x000000007415B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 690a9889201fa3b269d7bbdcd436da87 |
| SHA1 | 9bdc42689e0564d789b6a68cb7fea7d821d8a760 |
| SHA256 | 3d3816d2fa71b78ef3faa1741896a84fb988345670e95038898456ee0794f4f9 |
| SHA512 | 63becc1c66f427da223c8779b842355288e8b096a9173a1cfd014ad0dc1fa9645a34f9376e39013e60ee5aa6b07bb50ff30ba0a12638393ce107ab08dc988909 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\65393YGF08X7DNWVOJRV.temp
| MD5 | 690a9889201fa3b269d7bbdcd436da87 |
| SHA1 | 9bdc42689e0564d789b6a68cb7fea7d821d8a760 |
| SHA256 | 3d3816d2fa71b78ef3faa1741896a84fb988345670e95038898456ee0794f4f9 |
| SHA512 | 63becc1c66f427da223c8779b842355288e8b096a9173a1cfd014ad0dc1fa9645a34f9376e39013e60ee5aa6b07bb50ff30ba0a12638393ce107ab08dc988909 |
memory/2516-16-0x0000000073B60000-0x000000007410B000-memory.dmp
memory/2516-17-0x0000000073B60000-0x000000007410B000-memory.dmp
memory/2516-18-0x00000000027C0000-0x0000000002800000-memory.dmp
memory/2516-19-0x00000000027C0000-0x0000000002800000-memory.dmp
memory/2516-20-0x0000000073B60000-0x000000007410B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 690a9889201fa3b269d7bbdcd436da87 |
| SHA1 | 9bdc42689e0564d789b6a68cb7fea7d821d8a760 |
| SHA256 | 3d3816d2fa71b78ef3faa1741896a84fb988345670e95038898456ee0794f4f9 |
| SHA512 | 63becc1c66f427da223c8779b842355288e8b096a9173a1cfd014ad0dc1fa9645a34f9376e39013e60ee5aa6b07bb50ff30ba0a12638393ce107ab08dc988909 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/588-27-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/588-28-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/588-29-0x0000000073B80000-0x000000007412B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 690a9889201fa3b269d7bbdcd436da87 |
| SHA1 | 9bdc42689e0564d789b6a68cb7fea7d821d8a760 |
| SHA256 | 3d3816d2fa71b78ef3faa1741896a84fb988345670e95038898456ee0794f4f9 |
| SHA512 | 63becc1c66f427da223c8779b842355288e8b096a9173a1cfd014ad0dc1fa9645a34f9376e39013e60ee5aa6b07bb50ff30ba0a12638393ce107ab08dc988909 |
memory/2936-35-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/2936-36-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/2936-37-0x0000000073B70000-0x000000007411B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1208-44-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/1208-45-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/1208-46-0x0000000073B80000-0x000000007412B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/332-52-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/332-53-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/332-54-0x0000000073B70000-0x000000007411B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/2028-60-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/2028-61-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/2028-62-0x0000000073B80000-0x000000007412B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/876-69-0x0000000002560000-0x00000000025A0000-memory.dmp
memory/876-68-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/876-70-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/876-71-0x0000000073B70000-0x000000007411B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/2684-77-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/2684-78-0x00000000026B0000-0x00000000026F0000-memory.dmp
memory/2684-79-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/2684-80-0x00000000026B0000-0x00000000026F0000-memory.dmp
memory/2684-81-0x0000000073B80000-0x000000007412B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/1512-87-0x0000000073B60000-0x000000007410B000-memory.dmp
memory/1512-88-0x0000000073B60000-0x000000007410B000-memory.dmp
memory/1512-89-0x0000000002320000-0x0000000002360000-memory.dmp
memory/1512-90-0x0000000073B60000-0x000000007410B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/984-97-0x0000000000450000-0x0000000000490000-memory.dmp
memory/984-96-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/984-98-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/984-99-0x0000000000450000-0x0000000000490000-memory.dmp
memory/984-111-0x0000000073B80000-0x000000007412B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/2060-117-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/2060-118-0x0000000002740000-0x0000000002780000-memory.dmp
memory/2060-119-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/2060-120-0x0000000002740000-0x0000000002780000-memory.dmp
memory/2060-121-0x0000000073B70000-0x000000007411B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/2512-127-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/2512-128-0x0000000002370000-0x00000000023B0000-memory.dmp
memory/2512-129-0x0000000073B80000-0x000000007412B000-memory.dmp
memory/2512-130-0x0000000002370000-0x00000000023B0000-memory.dmp
memory/2512-131-0x0000000002370000-0x00000000023B0000-memory.dmp
memory/2512-132-0x0000000073B80000-0x000000007412B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
memory/2816-138-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/2816-139-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/2816-140-0x0000000002380000-0x00000000023C0000-memory.dmp
memory/2816-141-0x0000000002380000-0x00000000023C0000-memory.dmp
memory/2816-142-0x0000000002380000-0x00000000023C0000-memory.dmp
memory/2816-143-0x0000000073B70000-0x000000007411B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3709a85c4aaae6dbb18535d32c326521 |
| SHA1 | e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1 |
| SHA256 | c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d |
| SHA512 | 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-16 11:56
Reported
2023-11-16 11:58
Platform
win10v2004-20231020-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Detects HZRAT backdoor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HZRAT
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe
"C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic bios get Manufacturer,name,ReleaseDate,SerialNumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" bios get Manufacturer,name,ReleaseDate,SerialNumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic BASEBOARD get manufacturer,product,version,SerialNumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" BASEBOARD get manufacturer,product,version,SerialNumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic computersystem get systemfamily,systemskunumber,model /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" computersystem get systemfamily,systemskunumber,model /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic DESKTOPMONITOR get Caption,PNPDeviceID /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" DESKTOPMONITOR get Caption,PNPDeviceID /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic IDECONTROLLER get name,DeviceID /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" IDECONTROLLER get name,DeviceID /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic PORTCONNECTOR get externalreferencedesignator /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" PORTCONNECTOR get externalreferencedesignator /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic SOUNDDEV get Name,Description,DeviceID /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" SOUNDDEV get Name,Description,DeviceID /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {Get-WmiObject -Class Win32_videocontroller | select-object description}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic cpu get name,processorid /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" cpu get name,processorid /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic DISKDRIVE get serialnumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get serialnumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic bios get SerialNumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" bios get SerialNumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {$env:temp}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {echo $env:userprofile}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {reg export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\6027097068028388406.reg}"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\6027097068028388406.reg
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {whoami /user /nh}"
C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /user /nh
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {Get-ChildItem -Recurse $env:userprofile'\Documents\NetSarang Computer\7\Xshell\Sessions' | Where-Object {$_.Name -like '*.xsh'} | Foreach-Object Name}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select caption from win32_operatingsystem' | Select-Object -ExpandProperty caption}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select model from win32_computersystem' | Select-Object -ExpandProperty model}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {pwd | select-object -expandproperty path}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {[System.Security.Principal.WindowsIdentity]::GetCurrent().Name}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select * from win32_networkadapterconfiguration' | Select-Object -Property ipaddress,servicename,description}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select macaddress,name from win32_networkadapter' | Select-Object -Property macaddress,name}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select caption,name from win32_useraccount' | Select-Object -Property caption,name}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select name,sessionid,processid from win32_process' | Select-Object -Property name,sessionid,processid}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {gwmi -query 'select * from win32_computersystem'}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {dir C:\Users\$([Environment]::UserName)\Desktop; dir C:\Users\Public\Desktop}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& {wmic SYSDRIVER get name,caption /value}"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" SYSDRIVER get name,caption /value
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.175.53.84.in-addr.arpa | udp |
| N/A | 172.16.1.100:8081 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| CN | 220.168.209.150:8081 | tcp | |
| US | 8.8.8.8:53 | 150.209.168.220.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/1800-0-0x0000000000750000-0x00000000008F6000-memory.dmp
memory/1800-1-0x0000000002A40000-0x0000000002A73000-memory.dmp
memory/1800-2-0x0000000000750000-0x00000000008F6000-memory.dmp
memory/1176-4-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1176-3-0x0000000002FE0000-0x0000000003016000-memory.dmp
memory/1176-5-0x0000000005260000-0x0000000005270000-memory.dmp
memory/1176-6-0x0000000005260000-0x0000000005270000-memory.dmp
memory/1176-7-0x00000000058A0000-0x0000000005EC8000-memory.dmp
memory/1176-8-0x0000000005730000-0x0000000005752000-memory.dmp
memory/1176-9-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1176-10-0x00000000057D0000-0x0000000005836000-memory.dmp
memory/1176-16-0x0000000005FC0000-0x0000000006026000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kqvh14ev.3js.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1176-21-0x00000000061F0000-0x0000000006544000-memory.dmp
memory/1176-22-0x00000000066F0000-0x000000000670E000-memory.dmp
memory/1176-23-0x0000000006720000-0x000000000676C000-memory.dmp
memory/1176-24-0x0000000005260000-0x0000000005270000-memory.dmp
memory/1176-25-0x0000000005260000-0x0000000005270000-memory.dmp
memory/1176-28-0x00000000746C0000-0x0000000074E70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 33b19d75aa77114216dbc23f43b195e3 |
| SHA1 | 36a6c3975e619e0c5232aa4f5b7dc1fec9525535 |
| SHA256 | b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2 |
| SHA512 | 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821 |
memory/2756-30-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/2756-32-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/2756-31-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/2756-42-0x0000000005750000-0x0000000005AA4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04e2e659d69fdef012a9ec9f45f7c59f |
| SHA1 | 40f917020b1aa6b6a0bdc9b694bc4919207b9a4e |
| SHA256 | 4c300e3e2d33b2c89ec9cd2375131cb8002950b62f5c2ff90a79586e4920676d |
| SHA512 | ec39a23f72a575bc796c1adc90e0495e4505aaae4379220d28a0f19eb8b76f2edb41acb219286c04969e7c4f548ea0eee77f1be9d9990492676fd6024ebaf369 |
memory/2756-44-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/2756-46-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4548-47-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4548-48-0x00000000051B0000-0x00000000051C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c3a358751b4d8e802cebe7a1dfca4ea6 |
| SHA1 | 9cc135ad7ba31b87e0e291c0c6d0efc4c682506c |
| SHA256 | a3a2baedc6063ebc07897e6215413455b7d356dcdcc886edd162f0e784f87307 |
| SHA512 | 6f9e0ae070da6c6409ebccdf641cd3754bec129404f51c13b7b445d7bc6c10d360aee2aba53f9aff20ed8e99091aecb585445599c8b1b490a3c10bccab861b10 |
memory/4548-60-0x00000000051B0000-0x00000000051C0000-memory.dmp
memory/4548-61-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4920-62-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4920-63-0x0000000005390000-0x00000000053A0000-memory.dmp
memory/4920-64-0x0000000005390000-0x00000000053A0000-memory.dmp
memory/4920-70-0x0000000006210000-0x0000000006564000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0fb98fec27ebd0fc416f324b0618cdb9 |
| SHA1 | 534bdb9a93be47095f2e653008aa44c8ded71045 |
| SHA256 | f5dfb1b64747f5eea12713f0d5f9632acdd1a46e99cbc66194e54c42155772a5 |
| SHA512 | 0eb236a7b289989654255a0b20fc34a4b8c8f386452c4e487722cd256b8f7e5dffcba2e252a4aad379521b80416972191c0728fdeb8e5cab696c63b4f94e461d |
memory/4920-76-0x0000000005390000-0x00000000053A0000-memory.dmp
memory/4920-78-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/3872-79-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/3872-80-0x0000000004F50000-0x0000000004F60000-memory.dmp
memory/3872-81-0x0000000004F50000-0x0000000004F60000-memory.dmp
memory/3872-91-0x0000000005E60000-0x00000000061B4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 593dbcb69692d4cec583d274ecc39d82 |
| SHA1 | 52ebcf7cccc1dce2020fb59b93e976595b804717 |
| SHA256 | 1c9158ff9eadaf02f00698ddb3ee453b0233cbc2336737add592cfeda6c9b7f4 |
| SHA512 | 0540885e89bf55dee893530eff7ba4fa165eae19078898d290eae6f502fdf37276c4236ccb344ca5efecfce24f6748d88e845a821c44275f563271e753b3479c |
memory/3872-94-0x0000000004F50000-0x0000000004F60000-memory.dmp
memory/3872-95-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/392-96-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/392-97-0x0000000003470000-0x0000000003480000-memory.dmp
memory/392-98-0x0000000003470000-0x0000000003480000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4550f17cc184b83e4898b47abdc4d502 |
| SHA1 | cea16d5f5382b04e3996eb6488a77308a234c656 |
| SHA256 | 9951db546a173fb0414558dc3fdf0f755181ec1d53c2457f11713ed565aa3a4a |
| SHA512 | 4da69c8a60f8024eda2e5538e98b259558fc4e32f52499361b7c64e01f95f937010dd45a71d83124faf2e8f4b7e8ae188880cccccafc382e8af7f1fb50c580e0 |
memory/392-110-0x0000000003470000-0x0000000003480000-memory.dmp
memory/392-111-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4284-112-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4284-113-0x0000000005350000-0x0000000005360000-memory.dmp
memory/4284-114-0x0000000005350000-0x0000000005360000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a537fc0f2cf88915167b4159fbb1edc8 |
| SHA1 | 29d145cff3be72800b6db24d5532bdc85739bf32 |
| SHA256 | 691c172eb2632daa0eab35f4f02797f646b4bc1ef6194da878062b81aedf12d3 |
| SHA512 | e25269bf2497699274293fdfe0673e802058ac94fb953e4c4886c225c8d664e4a398e4dfe0c1bc6699b31b42aa58c4ea970b376e03cc3fd1ed23b8b592f55921 |
memory/4284-126-0x0000000005350000-0x0000000005360000-memory.dmp
memory/4284-127-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4860-128-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4860-130-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/4860-129-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/4860-131-0x0000000005F70000-0x00000000062C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b59afabcc20aefe6861a7e394425fa8c |
| SHA1 | d2b40942bbaef199398905692220e31a2ba00d1b |
| SHA256 | 324a3e9ff8415443d789c8d21638ebe0166f03933b2f52ae7acfb9976e141fe9 |
| SHA512 | cc1d1e40399044a26aed7cc76b757092734789aac72440cafeff4aeb367f5796484c2aec8062c33ddae7cc7fcc8b9c4d7a560868cf4c7396e5afc45c6b7509ba |
memory/4860-143-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/4860-144-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/3472-145-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/3472-146-0x0000000005060000-0x0000000005070000-memory.dmp
memory/3472-147-0x0000000005060000-0x0000000005070000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 58d91b822ee6d70f4f08db8f18115dcb |
| SHA1 | 5530b206a224038756c0818f0596a6c4d1c294fc |
| SHA256 | 534b4e9d439f934995d37d0fa3c5ddd95a5478076dde15960633b8800cadeebf |
| SHA512 | 871b859916587c9eef81e1fe87638e08d86a45042ff3ffe312ad9805966796ec59cdd6134709ae566d9f505d0d761db4769183c1924f74dd522691a7cd58e819 |
memory/3472-158-0x0000000007880000-0x0000000007916000-memory.dmp
memory/3472-159-0x00000000069F0000-0x0000000006A0A000-memory.dmp
memory/3472-160-0x0000000006A40000-0x0000000006A62000-memory.dmp
memory/3472-161-0x0000000007ED0000-0x0000000008474000-memory.dmp
memory/3472-162-0x0000000008B00000-0x000000000917A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d03939957515b72d8f724a773e7718ca |
| SHA1 | 17dc7773d431c821d4dab7f4e10f23efacc2a770 |
| SHA256 | 6105fbcb5e004d4017215dc21095467f0e94bb3bacfe5bee0e11a54922e3736e |
| SHA512 | 232eeb5af30305077cec739de8566146bf1c7ab0f846c57de874d512d24a0b854f8978891b60da4ee09d04b3b4a56d84b0fbb1c3e996af4a16404bf9a904d101 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd547797db56df2196992c4f2ec4f58a |
| SHA1 | c83c74d0f8a8b7fe24d961eee6f4b5fc4bbcd1b7 |
| SHA256 | b2007bb211c44542d45fc0c7f8daa8469fc8c8387d1b9ac91bd89564e4eed6fd |
| SHA512 | 46db1588abec24fe6eb4197ef50df529bab6dee86379df4e1ff920bb2d4dead801859ec7b03ab7b9010571063ce3127d43e1cc7bcfd04e5a113034f0e3f7f3eb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 19aad62a5a1b35b635188fbf30a95611 |
| SHA1 | d3d6e8a658c059d2b42b6748ef320d0790462852 |
| SHA256 | da25188e26c313bb3a322ec07c458ba6bcfeca849971847802c17d77e584860f |
| SHA512 | fb1ccdca2e84d41fa421d4f1b21b8787e174cf2cb3d44510b8c5f187cfdabf4487fa09f153e5a800b683384a5deada171b2d5e00fe725128f14d680ad566aefe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4680f7ca641e9915eaaf88cb46ba1e5e |
| SHA1 | a7908f8fabc55e6cd00e214087cc45a8630e1c49 |
| SHA256 | 81245b841d2b9cf06c5a45b7b43f7cadbdfa62d3b59482ad848c5401b493bd2a |
| SHA512 | d069ce5f80739050fde1df9afacfc87946c0e5d41f6c1afaf319e8f64bb51e29d911bfe2913fa0e9795ad1d413e295a26f3ac85f1c4976d8e0c14f2ca4d41205 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fbc845dc26213ae557e1cd8adbcc6c60 |
| SHA1 | 73e97520ca31087c58006afab2f45f8b1a0dcd93 |
| SHA256 | 8306bc53b46e26abba8bdd61d5a283117f2531bf8618bfd6158522431c990578 |
| SHA512 | 8056243518ef410e650a25f90e296481d9a4a5aa2e0ddc655309f689f9d7f272b593e34f1fae91bdb6302cee14b8ab802f85c2728fbd20a1098b3e2896709275 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | be766817c1752772ee0a6e126f93c059 |
| SHA1 | 6b2617edbfe80f4cf0084d4dad614632980098cf |
| SHA256 | f7247500baba07774271f5b63a27010667a8b89f705453982e5f4acc66144ee7 |
| SHA512 | 663462548e130c3f2f01b459c3c97acfc60bb86a98f8d8a6e42ec6c79761207a801cc25f37c3643ff0e247e6b62146d046b050d69859828446492407b1ffe4d7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dd709c988a1b97838859d9d028c3b098 |
| SHA1 | 7f30dbf692537e330f7c5b56e9c786a94ade9879 |
| SHA256 | 68f79f81142776de1c2d17da7f92db4449c3193b906983b136b24741654e5b61 |
| SHA512 | 100aed2ca0e62aa21bf05cf936983a9db6be3506cee757cb3b81b24af129c85accd7a525bec49cfefa3bef8aa80be50c478f8e879fc2f4ff1d9db3c8cd5e51a2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f3c988403fe4946970824ac9e4aa4da6 |
| SHA1 | 6b1c096a8fad48352f8dee14d8ad84d1bc921171 |
| SHA256 | d3e3b3f43a7f6253f946e9bd7245078116ed3b2624e3addfeaa7032a5ce96466 |
| SHA512 | 1f9f83e6540f976cbdbb106322fe592ebc2e0ed8472dd291a89249309b0d9c60d5c3e4c7ac16967b3ef1f56d462fd71320202477b087eb6c17dd581a538ec0ae |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 55be8d780300efa22d6d07109cd56161 |
| SHA1 | 2460fe40a6914fa0eee8e41319032ce6511c2d55 |
| SHA256 | 960de777825810fb5ed2ab81755cb0cc4e885374de155213dc44d557602ac9c9 |
| SHA512 | 6f02541154f0be75d97ee780aae7187c7db9a78a2d9b9c32059555868d2bafe5baee8a0b43c0d9273912587d199ca7b4f8f184fc89b7fe8f6f21694cda709a37 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3f2495ada7ecb947fa66008ffd1e1c84 |
| SHA1 | c36d03540b7c5992efc0b46fdd86d124a391b0a3 |
| SHA256 | 952d9d871af874bd328f713cd7e3593abac9a2debd3c930d3774e4c2dca1c5dc |
| SHA512 | 699c46af6a4f884c01ac36fd57775435cff4a71b752f5b7553032f9721185ea3898058abb229ba2c8c70b899c3464d5f670bc1e0eb936bed85c0cf449f387919 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ae455afce1974fec805e782867977911 |
| SHA1 | 410091ce427de68de61bc403ab102c9e74550141 |
| SHA256 | afcead94e06036ba75905765d98dd583d845e104d53c7c2ddf8aa58bf2568b7e |
| SHA512 | ea62db9af4eb9b9ab0cf200b56a348d2a2e78de1be15ae48eff802846de3f996cb7b38e837e075b50d6d4c2a2d519ce0f3d17728292cb98e5d2c864ac5100e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d2292ad5bdce6943a284244d6eacdedb |
| SHA1 | a2d3c7e5cb8b8b75e1b4efbf9938c11950bf74d6 |
| SHA256 | 87e808be444be73c9d0d6c77ff19b0adbfa00f99e555806ba49a7358ca9fcb09 |
| SHA512 | 8fdcde02724e3614fa7cea249f05c6a01c618b25efa94bdf8ff9d230e745ab084f8f088e51b0157f0612b59d96b7ef95b668232cf931b222e2235acf0d1fddc3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2a3f3249ff93284db512918dfa7b2a60 |
| SHA1 | d9a66a7042d04c47167fd01a5d8d016c700235d7 |
| SHA256 | c09d0773bdcdc5f6ded3d3d7dd4f54cff2e0eb77fe263c24acb96af4a92a59b7 |
| SHA512 | 88c3297a69aa7623487fd315509cd8fdaffe38111f6679445d329c69e75d0e8e5dffe26bed51e2105c4ffe79f30988a2f608c34c8acf1a28de471bd3b7775aee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4caf60651e2e7ca7d19a8f8ee688ab04 |
| SHA1 | 409b8681a9787fc8b74c1f8bff66a00e3eba062b |
| SHA256 | ae75465e234dd0e76164558bf387bbab66ca006de646ec906bae29cb572730f3 |
| SHA512 | d3cb97e41659096a621735225518cd9f374fb97023cfd04e3c7d189a9813ae5bcf6db0a24a19aa0afc957c53630f407c9be9d4cf7464710cfa8fac5b2338067c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c2d2e4045d1ac2813a5e00814cc6a22c |
| SHA1 | 405cf3fbaf4d7725a155fcc0d1e3e8a9dba0f98d |
| SHA256 | 8bc827b6c990276c034fab1835c07706c86fc9405f136dc81127c013537335e6 |
| SHA512 | 808766f810d1588142453044f31f293cb20654d61dd15219a326823ecb097a850c7d7f9b2cc62e9223013e02299f2c670a86a9b6fbfcbb3083d42907645749a3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 262656f9ae644078b3aee059238f0c2b |
| SHA1 | b062410add6b463bbce893acba38199cb66962e0 |
| SHA256 | 9dd9b495e55d431644be0bfac36f41d1729f0331fdc77a50e03fa7d18fcb0b16 |
| SHA512 | b7d3bf6ddad9e3a1a31ca4888832dddd273dc871d24e9527b2ed6f35ef29dccf3743c0e2651f3da99a751f40d4f4db4ca97e2dab94b23e015f2bb1eb874c529d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a4d487f4cc09cec76a5e16039f5d6253 |
| SHA1 | 6bd520f9f1224631c4cf55f28519f8a8c67e1f21 |
| SHA256 | d68bf847e1756de83ce7de9b9f85244a41e5a74c17def76fdb00f078018f4290 |
| SHA512 | 51c760352361069dd816a86e6ab615c672e7707876a67239f707c78bb8134de13331405c1b7dbce6719a79e46039fce73305bce14a6b44bc363d39c316de101b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5001a62db4bae6f9a8f62b5bac2ea568 |
| SHA1 | 1d3d1e9b5c91ddc3cb2f44c4c494c6f7991e7e12 |
| SHA256 | 9913914f4dc31e4a2af68eb1a372ac61624806f6e76c5a9f5517384717bf3452 |
| SHA512 | fa742bfe076e487391d21ac7d3c892451d89c2a099f06b0187462e87e231810d2276b46147f9bfe8a5d51ee63e9f92ed732cf27a0e27cf0d5bf4f771f8af0fc2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50ea1ad79e90d0080c3cf060479746e9 |
| SHA1 | 6552e9431135747590589866cfc4d9f7a6ee0211 |
| SHA256 | e0fd8f9a894593e0f3f29e7b74981dd8868c6ea91c11a490d8898542448c7137 |
| SHA512 | 2088f32cccbff135ec7437b40954f26329d05e7bdb425917e856a2adcde4fc81fac45f10109932a5fc9da8391b29896f669905164f5541a0e70b300ac39dd335 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c6bc7823d33a82b0cdd18bf91f71d95 |
| SHA1 | 449b6806ae136b8052627f40963f45f0f4e158ef |
| SHA256 | 0bda584e6c3191184c0c7e7f77588e173ba93add2e939df9288c60faef571247 |
| SHA512 | 2855b0895ffc9709ff66f9ff560cfd04c0b4fa207b1b3fbe4d877cd96e76bf18e952e28a4491f28c9e94213a7799403124afb3e6bd61d38cde36717e97647754 |