Analysis Overview
SHA256
ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31
Threat Level: Known bad
The file Payment Advice-BCS_ECS9522023032900460039_16922_952.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Remcos
ZGRat
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-07 07:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-07 07:44
Reported
2023-12-07 07:47
Platform
win7-20231023-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1764 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BDB.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
Network
| Country | Destination | Domain | Proto |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp |
Files
memory/1764-0-0x0000000000D80000-0x0000000000E8A000-memory.dmp
memory/1764-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/1764-2-0x00000000043E0000-0x0000000004420000-memory.dmp
memory/1764-3-0x00000000002D0000-0x00000000002E4000-memory.dmp
memory/1764-4-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/1764-5-0x00000000043E0000-0x0000000004420000-memory.dmp
memory/1764-6-0x00000000002E0000-0x00000000002EC000-memory.dmp
memory/1764-7-0x0000000005D30000-0x0000000005DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8BDB.tmp
| MD5 | 515c05874baad4082d2a53bda7d179fe |
| SHA1 | 3b92eb40408a67dc574de6f552979e8eaa7d5b75 |
| SHA256 | 54251cb2f6fcffbcc0612c1653e12ad0f7467481f3c5f43740e2ed1393a6ff4a |
| SHA512 | 1c7ba3689ecf9a861110953aea8cec246b1f31cd6ac215cecada986b5b1cd33d56f109b7df4ca3a5e0ec059c66f7c68d454f776948ae0d1e6c81f169d59d4519 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 474f083a5034e87ba59083011003b2d4 |
| SHA1 | 29600d1813b7b0576ed56762efcbb0cf7ac4b957 |
| SHA256 | c9784a628643639a6166ff207f811ddefb88d77e6badbbb371e14ac93d129acb |
| SHA512 | 7f2c755fb2b520ba240ca6acb71b4708ea48888ed32b182600b697164ea811eb0b58fad33221219d3a96d9cd0b7004721b6b713f9f29485d95dd9be0e9c5b239 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RPNHA7S0NBV9HK2BDGXZ.temp
| MD5 | 474f083a5034e87ba59083011003b2d4 |
| SHA1 | 29600d1813b7b0576ed56762efcbb0cf7ac4b957 |
| SHA256 | c9784a628643639a6166ff207f811ddefb88d77e6badbbb371e14ac93d129acb |
| SHA512 | 7f2c755fb2b520ba240ca6acb71b4708ea48888ed32b182600b697164ea811eb0b58fad33221219d3a96d9cd0b7004721b6b713f9f29485d95dd9be0e9c5b239 |
memory/1764-20-0x00000000042A0000-0x00000000042A6000-memory.dmp
memory/1764-21-0x0000000005DF0000-0x0000000005E70000-memory.dmp
memory/2744-22-0x000000006F410000-0x000000006F9BB000-memory.dmp
memory/2788-23-0x000000006F410000-0x000000006F9BB000-memory.dmp
memory/2744-24-0x0000000002530000-0x0000000002570000-memory.dmp
memory/2788-25-0x000000006F410000-0x000000006F9BB000-memory.dmp
memory/2744-26-0x000000006F410000-0x000000006F9BB000-memory.dmp
memory/2788-27-0x00000000026F0000-0x0000000002730000-memory.dmp
memory/2788-28-0x00000000026F0000-0x0000000002730000-memory.dmp
memory/2484-29-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-31-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-33-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-34-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-35-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-36-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-37-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-38-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2484-41-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1764-43-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2484-44-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2788-46-0x00000000026F0000-0x0000000002730000-memory.dmp
memory/2744-45-0x0000000002530000-0x0000000002570000-memory.dmp
memory/2484-47-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-49-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-48-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-50-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-51-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2744-54-0x000000006F410000-0x000000006F9BB000-memory.dmp
memory/2788-53-0x000000006F410000-0x000000006F9BB000-memory.dmp
memory/2484-55-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-56-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-58-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-59-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-60-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-61-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-63-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-64-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-65-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-67-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-68-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-69-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-71-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-72-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-73-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-75-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-76-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-77-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-79-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-80-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-81-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-82-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-84-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-85-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-86-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-88-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-89-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-90-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-92-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-93-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-94-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-96-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-97-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2484-98-0x0000000000400000-0x0000000000480000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-07 07:44
Reported
2023-12-07 07:47
Platform
win10v2004-20231130-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
ZGRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4432 set thread context of 1012 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6F3.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 45.128.234.54:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp | |
| N/A | 127.0.0.1:56932 | tcp | |
| US | 45.128.234.54:56932 | tcp |
Files
memory/4432-0-0x0000000000250000-0x000000000035A000-memory.dmp
memory/4432-1-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/4432-2-0x0000000005360000-0x0000000005904000-memory.dmp
memory/4432-3-0x0000000004DB0000-0x0000000004E42000-memory.dmp
memory/4432-4-0x0000000005010000-0x0000000005020000-memory.dmp
memory/4432-5-0x0000000004D40000-0x0000000004D4A000-memory.dmp
memory/4432-6-0x00000000047B0000-0x00000000047C4000-memory.dmp
memory/4432-7-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/4432-8-0x0000000005010000-0x0000000005020000-memory.dmp
memory/4432-9-0x0000000004840000-0x000000000484C000-memory.dmp
memory/4432-10-0x00000000062E0000-0x00000000063A0000-memory.dmp
memory/4432-11-0x000000000A110000-0x000000000A1AC000-memory.dmp
memory/2420-17-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/2420-18-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/2420-16-0x00000000027B0000-0x00000000027E6000-memory.dmp
memory/2420-19-0x0000000005380000-0x00000000059A8000-memory.dmp
memory/2680-20-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/2680-21-0x0000000002A30000-0x0000000002A40000-memory.dmp
memory/2680-22-0x0000000002A30000-0x0000000002A40000-memory.dmp
memory/2420-23-0x0000000004FF0000-0x0000000005012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF6F3.tmp
| MD5 | 7be95a3a75d29579a17360ea5d3415fe |
| SHA1 | 3a58c8663d66fde3a28129cada92e147b59cc0dd |
| SHA256 | e52c89eaa1635bc0641699a4ed67132fcb1ee454fa32d0f46ddb0d6b97c3ac2c |
| SHA512 | 3380d66d9d0d5beea73527e738b298dd8075f86ffd1eedcb7bc650273c928aa9255587cb615f84e0b85ea2e7418f9a560615315e8ce435c30c397952b6443dd5 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uphijcha.zjj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2420-35-0x0000000005C00000-0x0000000005C66000-memory.dmp
memory/2420-25-0x0000000005A20000-0x0000000005A86000-memory.dmp
memory/4432-45-0x000000000A0B0000-0x000000000A0B6000-memory.dmp
memory/2680-46-0x0000000005A90000-0x0000000005DE4000-memory.dmp
memory/1012-49-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-48-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-51-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-52-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2420-55-0x00000000060A0000-0x00000000060BE000-memory.dmp
memory/1012-54-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4432-53-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/1012-56-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2420-57-0x0000000006620000-0x000000000666C000-memory.dmp
memory/4432-47-0x0000000006010000-0x0000000006090000-memory.dmp
memory/2420-72-0x0000000006600000-0x000000000661E000-memory.dmp
memory/2680-67-0x0000000073D20000-0x0000000073D6C000-memory.dmp
memory/2680-59-0x0000000006FD0000-0x0000000007002000-memory.dmp
memory/2420-73-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/2680-83-0x0000000007210000-0x00000000072B3000-memory.dmp
memory/2680-84-0x0000000002A30000-0x0000000002A40000-memory.dmp
memory/2420-61-0x0000000073D20000-0x0000000073D6C000-memory.dmp
memory/2680-60-0x000000007F020000-0x000000007F030000-memory.dmp
memory/2420-85-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/2420-58-0x000000007F330000-0x000000007F340000-memory.dmp
memory/2680-86-0x0000000002A30000-0x0000000002A40000-memory.dmp
memory/2680-88-0x0000000007970000-0x0000000007FEA000-memory.dmp
memory/2420-89-0x0000000007440000-0x000000000744A000-memory.dmp
memory/2420-87-0x00000000073D0000-0x00000000073EA000-memory.dmp
memory/2420-90-0x0000000007650000-0x00000000076E6000-memory.dmp
memory/2680-91-0x0000000007530000-0x0000000007541000-memory.dmp
memory/2420-94-0x0000000007710000-0x000000000772A000-memory.dmp
memory/2420-95-0x00000000076F0000-0x00000000076F8000-memory.dmp
memory/2420-93-0x0000000007610000-0x0000000007624000-memory.dmp
memory/2680-92-0x0000000007560000-0x000000000756E000-memory.dmp
memory/2680-99-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/2420-98-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/1012-100-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-102-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-103-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-104-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-106-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-107-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-108-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-110-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-111-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-112-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-114-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-115-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-116-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-118-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-119-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-120-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-122-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-123-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-124-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-126-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-127-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-128-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-130-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-131-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-132-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-134-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-135-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-136-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-138-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-139-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-140-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-142-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-143-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-144-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-146-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-147-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-148-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-150-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-151-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-152-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-154-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-155-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1012-156-0x0000000000400000-0x0000000000480000-memory.dmp