Malware Analysis Report

2024-10-24 17:01

Sample ID 231116-n33desch61
Target 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b
SHA256 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b
Tags
hzrat backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b

Threat Level: Known bad

The file 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b was found to be: Known bad.

Malicious Activity Summary

hzrat backdoor

Detects HZRAT backdoor

HZRAT

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-11-16 11:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-16 11:56

Reported

2023-11-16 11:58

Platform

win7-20231023-en

Max time kernel

87s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"

Signatures

Detects HZRAT backdoor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

HZRAT

backdoor hzrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2624 wrote to memory of 2660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2624 wrote to memory of 2660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2624 wrote to memory of 2660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2516 wrote to memory of 2480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2516 wrote to memory of 2480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2516 wrote to memory of 2480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2760 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 2820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 588 wrote to memory of 2820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 588 wrote to memory of 2820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 588 wrote to memory of 2820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2936 wrote to memory of 320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2936 wrote to memory of 320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2936 wrote to memory of 320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2760 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 2744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1208 wrote to memory of 2744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1208 wrote to memory of 2744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1208 wrote to memory of 2744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2760 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 332 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 332 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 332 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2760 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2028 wrote to memory of 2044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2028 wrote to memory of 2044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2028 wrote to memory of 2044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2028 wrote to memory of 2044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2760 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 876 wrote to memory of 988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 876 wrote to memory of 988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 876 wrote to memory of 988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe

"C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic bios get Manufacturer,name,ReleaseDate,SerialNumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" bios get Manufacturer name ReleaseDate SerialNumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic BASEBOARD get manufacturer,product,version,SerialNumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" BASEBOARD get manufacturer product version SerialNumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic computersystem get systemfamily,systemskunumber,model /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" computersystem get systemfamily systemskunumber model /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic DESKTOPMONITOR get Caption,PNPDeviceID /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" DESKTOPMONITOR get Caption PNPDeviceID /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic IDECONTROLLER get name,DeviceID /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" IDECONTROLLER get name DeviceID /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" MEMORYCHIP get capacity manufacturer partnumber SerialNumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic PORTCONNECTOR get externalreferencedesignator /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" PORTCONNECTOR get externalreferencedesignator /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic SOUNDDEV get Name,Description,DeviceID /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" SOUNDDEV get Name Description DeviceID /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {Get-WmiObject -Class Win32_videocontroller | select-object description}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic cpu get name,processorid /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" cpu get name processorid /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic DISKDRIVE get serialnumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get serialnumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic bios get SerialNumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" bios get SerialNumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get caption deviceid firmwarerevision interfacetype model pnpdeviceid serialnumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {$env:temp}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {echo $env:userprofile}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {reg export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\7729704568956112313.reg}"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\7729704568956112313.reg

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {whoami /user /nh}"

C:\Windows\SysWOW64\whoami.exe

"C:\Windows\system32\whoami.exe" /user /nh

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {Get-ChildItem -Recurse $env:userprofile'\Documents\NetSarang Computer\7\Xshell\Sessions' | Where-Object {$_.Name -like '*.xsh'} | Foreach-Object Name}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select caption from win32_operatingsystem' | Select-Object -ExpandProperty caption}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select model from win32_computersystem' | Select-Object -ExpandProperty model}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {pwd | select-object -expandproperty path}"

Network

Country Destination Domain Proto
N/A 172.16.1.100:8081 tcp
CN 220.168.209.150:8081 tcp

Files

memory/2760-0-0x0000000000B00000-0x0000000000CA6000-memory.dmp

memory/2760-1-0x0000000000110000-0x0000000000143000-memory.dmp

memory/2760-2-0x0000000000B00000-0x0000000000CA6000-memory.dmp

memory/2624-5-0x0000000073BB0000-0x000000007415B000-memory.dmp

memory/2624-6-0x0000000073BB0000-0x000000007415B000-memory.dmp

memory/2624-7-0x00000000023A0000-0x00000000023E0000-memory.dmp

memory/2624-8-0x00000000023A0000-0x00000000023E0000-memory.dmp

memory/2624-9-0x00000000023A0000-0x00000000023E0000-memory.dmp

memory/2624-10-0x0000000073BB0000-0x000000007415B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 690a9889201fa3b269d7bbdcd436da87
SHA1 9bdc42689e0564d789b6a68cb7fea7d821d8a760
SHA256 3d3816d2fa71b78ef3faa1741896a84fb988345670e95038898456ee0794f4f9
SHA512 63becc1c66f427da223c8779b842355288e8b096a9173a1cfd014ad0dc1fa9645a34f9376e39013e60ee5aa6b07bb50ff30ba0a12638393ce107ab08dc988909

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\65393YGF08X7DNWVOJRV.temp

MD5 690a9889201fa3b269d7bbdcd436da87
SHA1 9bdc42689e0564d789b6a68cb7fea7d821d8a760
SHA256 3d3816d2fa71b78ef3faa1741896a84fb988345670e95038898456ee0794f4f9
SHA512 63becc1c66f427da223c8779b842355288e8b096a9173a1cfd014ad0dc1fa9645a34f9376e39013e60ee5aa6b07bb50ff30ba0a12638393ce107ab08dc988909

memory/2516-16-0x0000000073B60000-0x000000007410B000-memory.dmp

memory/2516-17-0x0000000073B60000-0x000000007410B000-memory.dmp

memory/2516-18-0x00000000027C0000-0x0000000002800000-memory.dmp

memory/2516-19-0x00000000027C0000-0x0000000002800000-memory.dmp

memory/2516-20-0x0000000073B60000-0x000000007410B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 690a9889201fa3b269d7bbdcd436da87
SHA1 9bdc42689e0564d789b6a68cb7fea7d821d8a760
SHA256 3d3816d2fa71b78ef3faa1741896a84fb988345670e95038898456ee0794f4f9
SHA512 63becc1c66f427da223c8779b842355288e8b096a9173a1cfd014ad0dc1fa9645a34f9376e39013e60ee5aa6b07bb50ff30ba0a12638393ce107ab08dc988909

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/588-27-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/588-28-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/588-29-0x0000000073B80000-0x000000007412B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 690a9889201fa3b269d7bbdcd436da87
SHA1 9bdc42689e0564d789b6a68cb7fea7d821d8a760
SHA256 3d3816d2fa71b78ef3faa1741896a84fb988345670e95038898456ee0794f4f9
SHA512 63becc1c66f427da223c8779b842355288e8b096a9173a1cfd014ad0dc1fa9645a34f9376e39013e60ee5aa6b07bb50ff30ba0a12638393ce107ab08dc988909

memory/2936-35-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/2936-36-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/2936-37-0x0000000073B70000-0x000000007411B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1208-44-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/1208-45-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/1208-46-0x0000000073B80000-0x000000007412B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/332-52-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/332-53-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/332-54-0x0000000073B70000-0x000000007411B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/2028-60-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/2028-61-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/2028-62-0x0000000073B80000-0x000000007412B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/876-69-0x0000000002560000-0x00000000025A0000-memory.dmp

memory/876-68-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/876-70-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/876-71-0x0000000073B70000-0x000000007411B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/2684-77-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/2684-78-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2684-79-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/2684-80-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2684-81-0x0000000073B80000-0x000000007412B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/1512-87-0x0000000073B60000-0x000000007410B000-memory.dmp

memory/1512-88-0x0000000073B60000-0x000000007410B000-memory.dmp

memory/1512-89-0x0000000002320000-0x0000000002360000-memory.dmp

memory/1512-90-0x0000000073B60000-0x000000007410B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/984-97-0x0000000000450000-0x0000000000490000-memory.dmp

memory/984-96-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/984-98-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/984-99-0x0000000000450000-0x0000000000490000-memory.dmp

memory/984-111-0x0000000073B80000-0x000000007412B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/2060-117-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/2060-118-0x0000000002740000-0x0000000002780000-memory.dmp

memory/2060-119-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/2060-120-0x0000000002740000-0x0000000002780000-memory.dmp

memory/2060-121-0x0000000073B70000-0x000000007411B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/2512-127-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/2512-128-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/2512-129-0x0000000073B80000-0x000000007412B000-memory.dmp

memory/2512-130-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/2512-131-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/2512-132-0x0000000073B80000-0x000000007412B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

memory/2816-138-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/2816-139-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/2816-140-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/2816-141-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/2816-142-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/2816-143-0x0000000073B70000-0x000000007411B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3709a85c4aaae6dbb18535d32c326521
SHA1 e07b686a5bad4f9ce4fc4cd7b6f6bc10b8ffebb1
SHA256 c03caa47449c9c7490a3a12f39141be836e80b9b79cf4c134ad0b3d3dcccbf6d
SHA512 8975cc1ce64d671a23403432d239b2d65fa771b05637cdbdc7deeff0ce37eef48232053dbe2fda396fe5c954b1b6f2beb4a55b71b310bf4ebfbf6b2578e9e9cb

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-16 11:56

Reported

2023-11-16 11:58

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"

Signatures

Detects HZRAT backdoor

Description Indicator Process Target
N/A N/A N/A N/A

HZRAT

backdoor hzrat

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 4672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1176 wrote to memory of 4672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1176 wrote to memory of 4672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2756 wrote to memory of 1816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2756 wrote to memory of 1816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 2196 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4548 wrote to memory of 2196 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4548 wrote to memory of 2196 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4920 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4920 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3872 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3872 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 804 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 392 wrote to memory of 804 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 392 wrote to memory of 804 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4284 wrote to memory of 2888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4284 wrote to memory of 2888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4860 wrote to memory of 1476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4860 wrote to memory of 1476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4860 wrote to memory of 1476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5000 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5000 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1000 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1000 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1800 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe

"C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic bios get Manufacturer,name,ReleaseDate,SerialNumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" bios get Manufacturer,name,ReleaseDate,SerialNumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic BASEBOARD get manufacturer,product,version,SerialNumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" BASEBOARD get manufacturer,product,version,SerialNumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic computersystem get systemfamily,systemskunumber,model /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" computersystem get systemfamily,systemskunumber,model /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic DESKTOPMONITOR get Caption,PNPDeviceID /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" DESKTOPMONITOR get Caption,PNPDeviceID /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic IDECONTROLLER get name,DeviceID /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" IDECONTROLLER get name,DeviceID /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic PORTCONNECTOR get externalreferencedesignator /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" PORTCONNECTOR get externalreferencedesignator /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic SOUNDDEV get Name,Description,DeviceID /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" SOUNDDEV get Name,Description,DeviceID /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {Get-WmiObject -Class Win32_videocontroller | select-object description}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic cpu get name,processorid /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" cpu get name,processorid /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic DISKDRIVE get serialnumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get serialnumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic bios get SerialNumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" bios get SerialNumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {$env:temp}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {echo $env:userprofile}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {reg export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\6027097068028388406.reg}"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\6027097068028388406.reg

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {whoami /user /nh}"

C:\Windows\SysWOW64\whoami.exe

"C:\Windows\system32\whoami.exe" /user /nh

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {Get-ChildItem -Recurse $env:userprofile'\Documents\NetSarang Computer\7\Xshell\Sessions' | Where-Object {$_.Name -like '*.xsh'} | Foreach-Object Name}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select caption from win32_operatingsystem' | Select-Object -ExpandProperty caption}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select model from win32_computersystem' | Select-Object -ExpandProperty model}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {pwd | select-object -expandproperty path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {[System.Security.Principal.WindowsIdentity]::GetCurrent().Name}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select * from win32_networkadapterconfiguration' | Select-Object -Property ipaddress,servicename,description}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select macaddress,name from win32_networkadapter' | Select-Object -Property macaddress,name}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select caption,name from win32_useraccount' | Select-Object -Property caption,name}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select name,sessionid,processid from win32_process' | Select-Object -Property name,sessionid,processid}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {gwmi -query 'select * from win32_computersystem'}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {dir C:\Users\$([Environment]::UserName)\Desktop; dir C:\Users\Public\Desktop}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "& {wmic SYSDRIVER get name,caption /value}"

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" SYSDRIVER get name,caption /value

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 34.175.53.84.in-addr.arpa udp
N/A 172.16.1.100:8081 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
CN 220.168.209.150:8081 tcp
US 8.8.8.8:53 150.209.168.220.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/1800-0-0x0000000000750000-0x00000000008F6000-memory.dmp

memory/1800-1-0x0000000002A40000-0x0000000002A73000-memory.dmp

memory/1800-2-0x0000000000750000-0x00000000008F6000-memory.dmp

memory/1176-4-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1176-3-0x0000000002FE0000-0x0000000003016000-memory.dmp

memory/1176-5-0x0000000005260000-0x0000000005270000-memory.dmp

memory/1176-6-0x0000000005260000-0x0000000005270000-memory.dmp

memory/1176-7-0x00000000058A0000-0x0000000005EC8000-memory.dmp

memory/1176-8-0x0000000005730000-0x0000000005752000-memory.dmp

memory/1176-9-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1176-10-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/1176-16-0x0000000005FC0000-0x0000000006026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kqvh14ev.3js.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1176-21-0x00000000061F0000-0x0000000006544000-memory.dmp

memory/1176-22-0x00000000066F0000-0x000000000670E000-memory.dmp

memory/1176-23-0x0000000006720000-0x000000000676C000-memory.dmp

memory/1176-24-0x0000000005260000-0x0000000005270000-memory.dmp

memory/1176-25-0x0000000005260000-0x0000000005270000-memory.dmp

memory/1176-28-0x00000000746C0000-0x0000000074E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/2756-30-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2756-32-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/2756-31-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/2756-42-0x0000000005750000-0x0000000005AA4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04e2e659d69fdef012a9ec9f45f7c59f
SHA1 40f917020b1aa6b6a0bdc9b694bc4919207b9a4e
SHA256 4c300e3e2d33b2c89ec9cd2375131cb8002950b62f5c2ff90a79586e4920676d
SHA512 ec39a23f72a575bc796c1adc90e0495e4505aaae4379220d28a0f19eb8b76f2edb41acb219286c04969e7c4f548ea0eee77f1be9d9990492676fd6024ebaf369

memory/2756-44-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/2756-46-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4548-47-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4548-48-0x00000000051B0000-0x00000000051C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3a358751b4d8e802cebe7a1dfca4ea6
SHA1 9cc135ad7ba31b87e0e291c0c6d0efc4c682506c
SHA256 a3a2baedc6063ebc07897e6215413455b7d356dcdcc886edd162f0e784f87307
SHA512 6f9e0ae070da6c6409ebccdf641cd3754bec129404f51c13b7b445d7bc6c10d360aee2aba53f9aff20ed8e99091aecb585445599c8b1b490a3c10bccab861b10

memory/4548-60-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/4548-61-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4920-62-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4920-63-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/4920-64-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/4920-70-0x0000000006210000-0x0000000006564000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0fb98fec27ebd0fc416f324b0618cdb9
SHA1 534bdb9a93be47095f2e653008aa44c8ded71045
SHA256 f5dfb1b64747f5eea12713f0d5f9632acdd1a46e99cbc66194e54c42155772a5
SHA512 0eb236a7b289989654255a0b20fc34a4b8c8f386452c4e487722cd256b8f7e5dffcba2e252a4aad379521b80416972191c0728fdeb8e5cab696c63b4f94e461d

memory/4920-76-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/4920-78-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/3872-79-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/3872-80-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/3872-81-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/3872-91-0x0000000005E60000-0x00000000061B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 593dbcb69692d4cec583d274ecc39d82
SHA1 52ebcf7cccc1dce2020fb59b93e976595b804717
SHA256 1c9158ff9eadaf02f00698ddb3ee453b0233cbc2336737add592cfeda6c9b7f4
SHA512 0540885e89bf55dee893530eff7ba4fa165eae19078898d290eae6f502fdf37276c4236ccb344ca5efecfce24f6748d88e845a821c44275f563271e753b3479c

memory/3872-94-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/3872-95-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/392-96-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/392-97-0x0000000003470000-0x0000000003480000-memory.dmp

memory/392-98-0x0000000003470000-0x0000000003480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4550f17cc184b83e4898b47abdc4d502
SHA1 cea16d5f5382b04e3996eb6488a77308a234c656
SHA256 9951db546a173fb0414558dc3fdf0f755181ec1d53c2457f11713ed565aa3a4a
SHA512 4da69c8a60f8024eda2e5538e98b259558fc4e32f52499361b7c64e01f95f937010dd45a71d83124faf2e8f4b7e8ae188880cccccafc382e8af7f1fb50c580e0

memory/392-110-0x0000000003470000-0x0000000003480000-memory.dmp

memory/392-111-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4284-112-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4284-113-0x0000000005350000-0x0000000005360000-memory.dmp

memory/4284-114-0x0000000005350000-0x0000000005360000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a537fc0f2cf88915167b4159fbb1edc8
SHA1 29d145cff3be72800b6db24d5532bdc85739bf32
SHA256 691c172eb2632daa0eab35f4f02797f646b4bc1ef6194da878062b81aedf12d3
SHA512 e25269bf2497699274293fdfe0673e802058ac94fb953e4c4886c225c8d664e4a398e4dfe0c1bc6699b31b42aa58c4ea970b376e03cc3fd1ed23b8b592f55921

memory/4284-126-0x0000000005350000-0x0000000005360000-memory.dmp

memory/4284-127-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4860-128-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4860-130-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/4860-129-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/4860-131-0x0000000005F70000-0x00000000062C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b59afabcc20aefe6861a7e394425fa8c
SHA1 d2b40942bbaef199398905692220e31a2ba00d1b
SHA256 324a3e9ff8415443d789c8d21638ebe0166f03933b2f52ae7acfb9976e141fe9
SHA512 cc1d1e40399044a26aed7cc76b757092734789aac72440cafeff4aeb367f5796484c2aec8062c33ddae7cc7fcc8b9c4d7a560868cf4c7396e5afc45c6b7509ba

memory/4860-143-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/4860-144-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/3472-145-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/3472-146-0x0000000005060000-0x0000000005070000-memory.dmp

memory/3472-147-0x0000000005060000-0x0000000005070000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 58d91b822ee6d70f4f08db8f18115dcb
SHA1 5530b206a224038756c0818f0596a6c4d1c294fc
SHA256 534b4e9d439f934995d37d0fa3c5ddd95a5478076dde15960633b8800cadeebf
SHA512 871b859916587c9eef81e1fe87638e08d86a45042ff3ffe312ad9805966796ec59cdd6134709ae566d9f505d0d761db4769183c1924f74dd522691a7cd58e819

memory/3472-158-0x0000000007880000-0x0000000007916000-memory.dmp

memory/3472-159-0x00000000069F0000-0x0000000006A0A000-memory.dmp

memory/3472-160-0x0000000006A40000-0x0000000006A62000-memory.dmp

memory/3472-161-0x0000000007ED0000-0x0000000008474000-memory.dmp

memory/3472-162-0x0000000008B00000-0x000000000917A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d03939957515b72d8f724a773e7718ca
SHA1 17dc7773d431c821d4dab7f4e10f23efacc2a770
SHA256 6105fbcb5e004d4017215dc21095467f0e94bb3bacfe5bee0e11a54922e3736e
SHA512 232eeb5af30305077cec739de8566146bf1c7ab0f846c57de874d512d24a0b854f8978891b60da4ee09d04b3b4a56d84b0fbb1c3e996af4a16404bf9a904d101

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd547797db56df2196992c4f2ec4f58a
SHA1 c83c74d0f8a8b7fe24d961eee6f4b5fc4bbcd1b7
SHA256 b2007bb211c44542d45fc0c7f8daa8469fc8c8387d1b9ac91bd89564e4eed6fd
SHA512 46db1588abec24fe6eb4197ef50df529bab6dee86379df4e1ff920bb2d4dead801859ec7b03ab7b9010571063ce3127d43e1cc7bcfd04e5a113034f0e3f7f3eb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 19aad62a5a1b35b635188fbf30a95611
SHA1 d3d6e8a658c059d2b42b6748ef320d0790462852
SHA256 da25188e26c313bb3a322ec07c458ba6bcfeca849971847802c17d77e584860f
SHA512 fb1ccdca2e84d41fa421d4f1b21b8787e174cf2cb3d44510b8c5f187cfdabf4487fa09f153e5a800b683384a5deada171b2d5e00fe725128f14d680ad566aefe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4680f7ca641e9915eaaf88cb46ba1e5e
SHA1 a7908f8fabc55e6cd00e214087cc45a8630e1c49
SHA256 81245b841d2b9cf06c5a45b7b43f7cadbdfa62d3b59482ad848c5401b493bd2a
SHA512 d069ce5f80739050fde1df9afacfc87946c0e5d41f6c1afaf319e8f64bb51e29d911bfe2913fa0e9795ad1d413e295a26f3ac85f1c4976d8e0c14f2ca4d41205

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fbc845dc26213ae557e1cd8adbcc6c60
SHA1 73e97520ca31087c58006afab2f45f8b1a0dcd93
SHA256 8306bc53b46e26abba8bdd61d5a283117f2531bf8618bfd6158522431c990578
SHA512 8056243518ef410e650a25f90e296481d9a4a5aa2e0ddc655309f689f9d7f272b593e34f1fae91bdb6302cee14b8ab802f85c2728fbd20a1098b3e2896709275

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be766817c1752772ee0a6e126f93c059
SHA1 6b2617edbfe80f4cf0084d4dad614632980098cf
SHA256 f7247500baba07774271f5b63a27010667a8b89f705453982e5f4acc66144ee7
SHA512 663462548e130c3f2f01b459c3c97acfc60bb86a98f8d8a6e42ec6c79761207a801cc25f37c3643ff0e247e6b62146d046b050d69859828446492407b1ffe4d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd709c988a1b97838859d9d028c3b098
SHA1 7f30dbf692537e330f7c5b56e9c786a94ade9879
SHA256 68f79f81142776de1c2d17da7f92db4449c3193b906983b136b24741654e5b61
SHA512 100aed2ca0e62aa21bf05cf936983a9db6be3506cee757cb3b81b24af129c85accd7a525bec49cfefa3bef8aa80be50c478f8e879fc2f4ff1d9db3c8cd5e51a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f3c988403fe4946970824ac9e4aa4da6
SHA1 6b1c096a8fad48352f8dee14d8ad84d1bc921171
SHA256 d3e3b3f43a7f6253f946e9bd7245078116ed3b2624e3addfeaa7032a5ce96466
SHA512 1f9f83e6540f976cbdbb106322fe592ebc2e0ed8472dd291a89249309b0d9c60d5c3e4c7ac16967b3ef1f56d462fd71320202477b087eb6c17dd581a538ec0ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 55be8d780300efa22d6d07109cd56161
SHA1 2460fe40a6914fa0eee8e41319032ce6511c2d55
SHA256 960de777825810fb5ed2ab81755cb0cc4e885374de155213dc44d557602ac9c9
SHA512 6f02541154f0be75d97ee780aae7187c7db9a78a2d9b9c32059555868d2bafe5baee8a0b43c0d9273912587d199ca7b4f8f184fc89b7fe8f6f21694cda709a37

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f2495ada7ecb947fa66008ffd1e1c84
SHA1 c36d03540b7c5992efc0b46fdd86d124a391b0a3
SHA256 952d9d871af874bd328f713cd7e3593abac9a2debd3c930d3774e4c2dca1c5dc
SHA512 699c46af6a4f884c01ac36fd57775435cff4a71b752f5b7553032f9721185ea3898058abb229ba2c8c70b899c3464d5f670bc1e0eb936bed85c0cf449f387919

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae455afce1974fec805e782867977911
SHA1 410091ce427de68de61bc403ab102c9e74550141
SHA256 afcead94e06036ba75905765d98dd583d845e104d53c7c2ddf8aa58bf2568b7e
SHA512 ea62db9af4eb9b9ab0cf200b56a348d2a2e78de1be15ae48eff802846de3f996cb7b38e837e075b50d6d4c2a2d519ce0f3d17728292cb98e5d2c864ac5100e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d2292ad5bdce6943a284244d6eacdedb
SHA1 a2d3c7e5cb8b8b75e1b4efbf9938c11950bf74d6
SHA256 87e808be444be73c9d0d6c77ff19b0adbfa00f99e555806ba49a7358ca9fcb09
SHA512 8fdcde02724e3614fa7cea249f05c6a01c618b25efa94bdf8ff9d230e745ab084f8f088e51b0157f0612b59d96b7ef95b668232cf931b222e2235acf0d1fddc3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a3f3249ff93284db512918dfa7b2a60
SHA1 d9a66a7042d04c47167fd01a5d8d016c700235d7
SHA256 c09d0773bdcdc5f6ded3d3d7dd4f54cff2e0eb77fe263c24acb96af4a92a59b7
SHA512 88c3297a69aa7623487fd315509cd8fdaffe38111f6679445d329c69e75d0e8e5dffe26bed51e2105c4ffe79f30988a2f608c34c8acf1a28de471bd3b7775aee

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4caf60651e2e7ca7d19a8f8ee688ab04
SHA1 409b8681a9787fc8b74c1f8bff66a00e3eba062b
SHA256 ae75465e234dd0e76164558bf387bbab66ca006de646ec906bae29cb572730f3
SHA512 d3cb97e41659096a621735225518cd9f374fb97023cfd04e3c7d189a9813ae5bcf6db0a24a19aa0afc957c53630f407c9be9d4cf7464710cfa8fac5b2338067c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2d2e4045d1ac2813a5e00814cc6a22c
SHA1 405cf3fbaf4d7725a155fcc0d1e3e8a9dba0f98d
SHA256 8bc827b6c990276c034fab1835c07706c86fc9405f136dc81127c013537335e6
SHA512 808766f810d1588142453044f31f293cb20654d61dd15219a326823ecb097a850c7d7f9b2cc62e9223013e02299f2c670a86a9b6fbfcbb3083d42907645749a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 262656f9ae644078b3aee059238f0c2b
SHA1 b062410add6b463bbce893acba38199cb66962e0
SHA256 9dd9b495e55d431644be0bfac36f41d1729f0331fdc77a50e03fa7d18fcb0b16
SHA512 b7d3bf6ddad9e3a1a31ca4888832dddd273dc871d24e9527b2ed6f35ef29dccf3743c0e2651f3da99a751f40d4f4db4ca97e2dab94b23e015f2bb1eb874c529d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4d487f4cc09cec76a5e16039f5d6253
SHA1 6bd520f9f1224631c4cf55f28519f8a8c67e1f21
SHA256 d68bf847e1756de83ce7de9b9f85244a41e5a74c17def76fdb00f078018f4290
SHA512 51c760352361069dd816a86e6ab615c672e7707876a67239f707c78bb8134de13331405c1b7dbce6719a79e46039fce73305bce14a6b44bc363d39c316de101b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5001a62db4bae6f9a8f62b5bac2ea568
SHA1 1d3d1e9b5c91ddc3cb2f44c4c494c6f7991e7e12
SHA256 9913914f4dc31e4a2af68eb1a372ac61624806f6e76c5a9f5517384717bf3452
SHA512 fa742bfe076e487391d21ac7d3c892451d89c2a099f06b0187462e87e231810d2276b46147f9bfe8a5d51ee63e9f92ed732cf27a0e27cf0d5bf4f771f8af0fc2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50ea1ad79e90d0080c3cf060479746e9
SHA1 6552e9431135747590589866cfc4d9f7a6ee0211
SHA256 e0fd8f9a894593e0f3f29e7b74981dd8868c6ea91c11a490d8898542448c7137
SHA512 2088f32cccbff135ec7437b40954f26329d05e7bdb425917e856a2adcde4fc81fac45f10109932a5fc9da8391b29896f669905164f5541a0e70b300ac39dd335

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c6bc7823d33a82b0cdd18bf91f71d95
SHA1 449b6806ae136b8052627f40963f45f0f4e158ef
SHA256 0bda584e6c3191184c0c7e7f77588e173ba93add2e939df9288c60faef571247
SHA512 2855b0895ffc9709ff66f9ff560cfd04c0b4fa207b1b3fbe4d877cd96e76bf18e952e28a4491f28c9e94213a7799403124afb3e6bd61d38cde36717e97647754