Analysis Overview
SHA256
ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31
Threat Level: Known bad
The file Payment Advice-BCS_ECS9522023032900460039_16922_952.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
ZGRat
Detect ZGRat V1
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-07 07:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-07 07:41
Reported
2023-12-07 07:43
Platform
win7-20231025-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1980 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
Network
| Country | Destination | Domain | Proto |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp |
Files
memory/1980-0-0x0000000001200000-0x000000000130A000-memory.dmp
memory/1980-1-0x0000000074A00000-0x00000000750EE000-memory.dmp
memory/1980-2-0x00000000005E0000-0x0000000000620000-memory.dmp
memory/1980-3-0x00000000003F0000-0x0000000000404000-memory.dmp
memory/1980-4-0x0000000074A00000-0x00000000750EE000-memory.dmp
memory/1980-5-0x00000000005E0000-0x0000000000620000-memory.dmp
memory/1980-6-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1980-7-0x0000000008240000-0x0000000008300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp
| MD5 | b0e136f8ea6281d13f08d10f06799ae3 |
| SHA1 | 70274df5e272effcd14a02fed97e127c8915c463 |
| SHA256 | e6de63613a8436294f5c0563756639df9a4312a64b835b7eada3a5ae4058a3d1 |
| SHA512 | 28ce0d27d755ff0c702d6488e55bdb0e1d807f8a9c338c1a2ce7da53d89761c26dd296901ef7ecee706f692f04b2de64c20b6ce167c9de07b1b0867bfa5f5972 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\948YRQV0ENS48FJIVYSM.temp
| MD5 | fe3a08652c6658b3fba58266e195fcf7 |
| SHA1 | e3fe28af62f28231f10ea68764365992d615fb0c |
| SHA256 | 7a203df2da067fa2b93101830c52a121017ac0e010fa4af6374920240f743f29 |
| SHA512 | 41e2532af1c9f2ff17f7598a8e6cddddc3ca9d5abcb22df435d0ffc843dbadd3c7443cfe60ed04b0bd7d90fca25596581a3fafa4e646c80869a6ff13a77952d7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | fe3a08652c6658b3fba58266e195fcf7 |
| SHA1 | e3fe28af62f28231f10ea68764365992d615fb0c |
| SHA256 | 7a203df2da067fa2b93101830c52a121017ac0e010fa4af6374920240f743f29 |
| SHA512 | 41e2532af1c9f2ff17f7598a8e6cddddc3ca9d5abcb22df435d0ffc843dbadd3c7443cfe60ed04b0bd7d90fca25596581a3fafa4e646c80869a6ff13a77952d7 |
memory/1980-20-0x0000000000D00000-0x0000000000D06000-memory.dmp
memory/2608-22-0x000000006F890000-0x000000006FE3B000-memory.dmp
memory/1980-21-0x0000000005ED0000-0x0000000005F50000-memory.dmp
memory/2864-23-0x000000006F890000-0x000000006FE3B000-memory.dmp
memory/2608-24-0x00000000023E0000-0x0000000002420000-memory.dmp
memory/2608-25-0x000000006F890000-0x000000006FE3B000-memory.dmp
memory/2864-27-0x0000000001BE0000-0x0000000001C20000-memory.dmp
memory/2964-26-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-29-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-31-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-32-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-34-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-36-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-38-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-40-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2964-44-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1980-46-0x0000000074A00000-0x00000000750EE000-memory.dmp
memory/2964-47-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-49-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-50-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-48-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-51-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-52-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2608-54-0x000000006F890000-0x000000006FE3B000-memory.dmp
memory/2864-55-0x000000006F890000-0x000000006FE3B000-memory.dmp
memory/2964-56-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-57-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-58-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-60-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-61-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-62-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-64-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-65-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-66-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-68-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-69-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-70-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-72-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-73-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-74-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-76-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-77-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-78-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-80-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-81-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-82-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-84-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-85-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-86-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-87-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-89-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-90-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-91-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-93-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-94-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2964-95-0x0000000000400000-0x0000000000480000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-07 07:41
Reported
2023-12-07 07:43
Platform
win10v2004-20231127-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
ZGRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5028 set thread context of 4732 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp29DA.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.252.72.23.in-addr.arpa | udp |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 8.8.8.8:53 | 122.175.53.84.in-addr.arpa | udp |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp |
Files
memory/5028-0-0x0000000000400000-0x000000000050A000-memory.dmp
memory/5028-1-0x0000000075040000-0x00000000757F0000-memory.dmp
memory/5028-2-0x0000000005420000-0x00000000059C4000-memory.dmp
memory/5028-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp
memory/5028-4-0x0000000005140000-0x0000000005150000-memory.dmp
memory/5028-5-0x00000000050B0000-0x00000000050BA000-memory.dmp
memory/5028-6-0x0000000004910000-0x0000000004924000-memory.dmp
memory/5028-7-0x0000000075040000-0x00000000757F0000-memory.dmp
memory/5028-8-0x0000000005140000-0x0000000005150000-memory.dmp
memory/5028-9-0x00000000049A0000-0x00000000049AC000-memory.dmp
memory/5028-10-0x0000000007EA0000-0x0000000007F60000-memory.dmp
memory/5028-11-0x000000000A2E0000-0x000000000A37C000-memory.dmp
memory/4864-16-0x0000000005240000-0x0000000005276000-memory.dmp
memory/4864-17-0x0000000075040000-0x00000000757F0000-memory.dmp
memory/4864-19-0x00000000058E0000-0x0000000005F08000-memory.dmp
memory/4864-20-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/4864-18-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/1428-21-0x0000000075040000-0x00000000757F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp29DA.tmp
| MD5 | d12bc4d4b295b2f4d420356bfd0da2c0 |
| SHA1 | 17d589c2831d3cdc77c0819ff1610613a12322ee |
| SHA256 | b02acc7ba3c8a38078a71fa6329cbc410eed8fcdff96a4b7203bd9ea0a7932d9 |
| SHA512 | 346ca1c47b9d336abf12f1d5483ac51afd339220095a571e1625d8fbb7f5dd2f109d9b61cf27b301bdb9bf9a1fe6272932564758ca8bd1009b290e78620c2bdc |
memory/4864-24-0x0000000006080000-0x00000000060E6000-memory.dmp
memory/1428-25-0x0000000005660000-0x00000000056C6000-memory.dmp
memory/1428-23-0x0000000004D10000-0x0000000004D32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohhss5pw.enh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5028-31-0x0000000007D10000-0x0000000007D16000-memory.dmp
memory/5028-36-0x000000000A580000-0x000000000A600000-memory.dmp
memory/4732-47-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-46-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4864-48-0x0000000006210000-0x0000000006564000-memory.dmp
memory/4732-50-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-53-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-55-0x0000000000400000-0x0000000000480000-memory.dmp
memory/5028-54-0x0000000075040000-0x00000000757F0000-memory.dmp
memory/4732-52-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-51-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4864-56-0x0000000006800000-0x000000000681E000-memory.dmp
memory/4864-57-0x0000000006840000-0x000000000688C000-memory.dmp
memory/4864-58-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/1428-59-0x0000000002530000-0x0000000002540000-memory.dmp
memory/1428-61-0x0000000006C80000-0x0000000006CB2000-memory.dmp
memory/1428-62-0x00000000758F0000-0x000000007593C000-memory.dmp
memory/1428-60-0x000000007F420000-0x000000007F430000-memory.dmp
memory/4864-63-0x00000000758F0000-0x000000007593C000-memory.dmp
memory/1428-74-0x0000000006C60000-0x0000000006C7E000-memory.dmp
memory/4864-84-0x0000000007A20000-0x0000000007AC3000-memory.dmp
memory/4864-64-0x000000007F640000-0x000000007F650000-memory.dmp
memory/4864-85-0x0000000008160000-0x00000000087DA000-memory.dmp
memory/4864-86-0x0000000007B10000-0x0000000007B2A000-memory.dmp
memory/4864-87-0x0000000007B80000-0x0000000007B8A000-memory.dmp
memory/4732-88-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1428-90-0x0000000007280000-0x0000000007316000-memory.dmp
memory/4864-91-0x0000000007D10000-0x0000000007D21000-memory.dmp
memory/1428-92-0x0000000007230000-0x000000000723E000-memory.dmp
memory/4864-93-0x0000000007D50000-0x0000000007D64000-memory.dmp
memory/1428-94-0x0000000007340000-0x000000000735A000-memory.dmp
memory/4864-95-0x0000000007E30000-0x0000000007E38000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1428-102-0x0000000075040000-0x00000000757F0000-memory.dmp
memory/4864-101-0x0000000075040000-0x00000000757F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f8831e0aeffd24d465e9a8218a963f08 |
| SHA1 | 89136e81cab114c12ba0a47f634b27f2e29529b7 |
| SHA256 | 3ca2ceb5b77d5f6c465b2138e9eaff861042f22e8f6b93b1099251b0fa44eef1 |
| SHA512 | 9baa9a9b9d0543386c9c1bcc3f8d2778f9339976647b89466a29b7045a8c6e48869f0f4df8cadcdc78fe25c233fb19e5ea462b0784f84170c356f070be0c0f81 |
memory/4732-103-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-104-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-105-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-107-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-108-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-109-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-111-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-112-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-113-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-114-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-116-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-117-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-118-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-120-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-121-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-122-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-124-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-125-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-126-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-128-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-129-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-130-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-132-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-133-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-134-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-136-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-137-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-138-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-140-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-141-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-142-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-144-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-145-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-146-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-148-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-149-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-150-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-152-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-153-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-154-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-156-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-157-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4732-158-0x0000000000400000-0x0000000000480000-memory.dmp