zgrat | 252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c

Analysis

max time kernel
280s
max time network
304s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01/01/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
Size

1.7MB
MD5

e3b4b83722d659d4c00b2ee746dbea0d
SHA1

a97e44f8c4f7ce19ef5a08b865e03da5f6c9b50d
SHA256

252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c
SHA512

46d6a70276db93a3c7e97379e2f43681e5e909d136432de76ced035e22d0fca95c0e3e3a6423734a123ad270a27f84cc550e9415d20a69992cfe13719026b334
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/504-0-0x0000000000210000-0x00000000003D0000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000001abb7-26.dat	family_zgrat_v1
behavioral2/files/0x000700000001abb0-284.dat	family_zgrat_v1
behavioral2/files/0x000700000001abb0-283.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
312	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\7a0fd90576e088	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\SearchUI.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\SearchUI.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\dab4d89cac03ec	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\OCR\en-us\dllhost.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Windows\Setup\State\dllhost.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Windows\Setup\State\5940a34987c991	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-33539905-3698238643-2080195461-1000_Classes\Local Settings	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4256	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
312	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	2364	powershell.exe
Token: SeSecurityPrivilege	2364	powershell.exe
Token: SeTakeOwnershipPrivilege	2364	powershell.exe
Token: SeLoadDriverPrivilege	2364	powershell.exe
Token: SeSystemProfilePrivilege	2364	powershell.exe
Token: SeSystemtimePrivilege	2364	powershell.exe
Token: SeProfSingleProcessPrivilege	2364	powershell.exe
Token: SeIncBasePriorityPrivilege	2364	powershell.exe
Token: SeCreatePagefilePrivilege	2364	powershell.exe
Token: SeBackupPrivilege	2364	powershell.exe
Token: SeRestorePrivilege	2364	powershell.exe
Token: SeShutdownPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeSystemEnvironmentPrivilege	2364	powershell.exe
Token: SeRemoteShutdownPrivilege	2364	powershell.exe
Token: SeUndockPrivilege	2364	powershell.exe
Token: SeManageVolumePrivilege	2364	powershell.exe
Token: 33	2364	powershell.exe
Token: 34	2364	powershell.exe
Token: 35	2364	powershell.exe
Token: 36	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	1444	powershell.exe
Token: SeSecurityPrivilege	1444	powershell.exe
Token: SeTakeOwnershipPrivilege	1444	powershell.exe
Token: SeLoadDriverPrivilege	1444	powershell.exe
Token: SeSystemProfilePrivilege	1444	powershell.exe
Token: SeSystemtimePrivilege	1444	powershell.exe
Token: SeProfSingleProcessPrivilege	1444	powershell.exe
Token: SeIncBasePriorityPrivilege	1444	powershell.exe
Token: SeCreatePagefilePrivilege	1444	powershell.exe
Token: SeBackupPrivilege	1444	powershell.exe
Token: SeRestorePrivilege	1444	powershell.exe
Token: SeShutdownPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeSystemEnvironmentPrivilege	1444	powershell.exe
Token: SeRemoteShutdownPrivilege	1444	powershell.exe
Token: SeUndockPrivilege	1444	powershell.exe
Token: SeManageVolumePrivilege	1444	powershell.exe
Token: 33	1444	powershell.exe
Token: 34	1444	powershell.exe
Token: 35	1444	powershell.exe
Token: 36	1444	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	powershell.exe
Token: SeSecurityPrivilege	4448	powershell.exe
Token: SeTakeOwnershipPrivilege	4448	powershell.exe
Token: SeLoadDriverPrivilege	4448	powershell.exe
Token: SeSystemProfilePrivilege	4448	powershell.exe
Token: SeSystemtimePrivilege	4448	powershell.exe
Token: SeProfSingleProcessPrivilege	4448	powershell.exe
Token: SeIncBasePriorityPrivilege	4448	powershell.exe
Token: SeCreatePagefilePrivilege	4448	powershell.exe
Token: SeBackupPrivilege	4448	powershell.exe
Token: SeRestorePrivilege	4448	powershell.exe
Token: SeShutdownPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeSystemEnvironmentPrivilege	4448	powershell.exe
Token: SeRemoteShutdownPrivilege	4448	powershell.exe
Token: SeUndockPrivilege	4448	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 4584	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	84
PID 504 wrote to memory of 4584	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	84
PID 504 wrote to memory of 1444	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	81
PID 504 wrote to memory of 1444	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	81
PID 504 wrote to memory of 1816	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	80
PID 504 wrote to memory of 1816	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	80
PID 504 wrote to memory of 4448	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	79
PID 504 wrote to memory of 4448	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	79
PID 504 wrote to memory of 2364	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	77
PID 504 wrote to memory of 2364	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	77
PID 504 wrote to memory of 4284	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	83
PID 504 wrote to memory of 4284	504	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	83
PID 4284 wrote to memory of 3812	4284	cmd.exe	85
PID 4284 wrote to memory of 3812	4284	cmd.exe	85
PID 4284 wrote to memory of 4256	4284	cmd.exe	86
PID 4284 wrote to memory of 4256	4284	cmd.exe	86
PID 4284 wrote to memory of 312	4284	cmd.exe	88
PID 4284 wrote to memory of 312	4284	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
"C:\Users\Admin\AppData\Local\Temp\252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pqhTBb3d7m.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3812
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:4256
- - C:\odt\spoolsv.exe
    "C:\odt\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\SearchUI.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99860a8339a72efebd7e8bb0b8947162

SHA1
5ebe5ac2b853664aa9f6bda2f85ce7a405599b67

SHA256
c820a976f380c976b76d4881a8690f5c0f52bf48b95492a37dee45f298bfd803

SHA512
96d3501af5e73646649f369ae8b62cd22386b641c6a5c6db65d0f714961152c2d693c994f8773bce5b85698546a0ebb80078bb8dcb66b4caf79294d157ca76b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca47fb6ad476303a1f000a8de8883c7e

SHA1
1ecf9f5fdf992123734d05db8955b5adc910a117

SHA256
abba938d5a5ef83699bbb5d3f176dd5a8c8433580dcb52317983e8a1585660e0

SHA512
573a89b45f5ce02d1e8b161f6e7bbc1cb84b007674dd9ec177ce20b9b5b5ebcc9c81d683b1e670cd0100d8691e0c0c788fd7e76271379852cf49f5cd40e543a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10f9c8bb039092b3b8b462776f96cfc0

SHA1
b8c478addc600e9d8e8a9be71db4420e4c7cd156

SHA256
54ac177efa691cdcfcf571846dc2cfc640068b37041fbdc5ca9e538e919a330b

SHA512
4d624b9580b19b77941af0802ce64a3f197cf963ce2f4a9468ebd3d43608ec681669e19290784f0cc73aaf9e11b7f4feb8e0003fd776d114094b1964a9622afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abdc9889553ba8f7ac49fc830578b355

SHA1
c71c93392050e219491f3a92f94bb149c41262fc

SHA256
2e37e2838f7d6819dd36f8be4a9985034d10525c131d1220e0ec31fb5e51c326

SHA512
09352d280b7217fad34a5fa125f5090b8efbe92a5cb9808c6c056aa86077b5d6bbf06563cff024adfe40c0f7e477a64eabe02f81b0c69a77742d1d251e4bcdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbdujc2u.esw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqhTBb3d7m.bat

Filesize
146B

MD5
1536acbbaece840973679fab49669aa8

SHA1
f66980d52d64e37c965d37fd7a4e7285cb7be2e5

SHA256
d6d37c709f133bcff7440f744c38ed16a026654e3f93a8481aabf3d23005f53e

SHA512
710fe70a229cf93164d63b1ba28648a0985c8e76dc91147fcdfc8fba95787c41d872405d9fb6b991164f5ca09601a3313c0ace840a1940c8e9429069ae90028e

Download Submit
C:\Windows\Setup\State\dllhost.exe

Filesize
408KB

MD5
d93bfc14df4578f344bf657c34e545fc

SHA1
cddd11f071eabae5e717e778d18382ee95857a29

SHA256
9c46a033aed0aacf1dc16ec9624e21f29f9a8dd8e781b4089214f04ad3583a50

SHA512
9a79599d28b98256ea0501c759e471922a0ce098104fcbcd48a5590cf6e149c7afb33614e661396c19e19e36165101e86271bf47634b88ea07d26910b9cc22fb

Download Submit
C:\odt\spoolsv.exe

Filesize
223KB

MD5
aa9b583929b04608d7c81e3e541b4d24

SHA1
27eb9ba98ec84043a4affc748e32a659fba156c6

SHA256
7dbbe544403757eea4afdc2d31e23cc97f5f108bd537790ce6987a3c7662683c

SHA512
349ac69d0beb1381c5f31adc67dd75d64d4934e3ad4d828292080c7d97d6f8068eb105ba1fc323407ba0772932a72cbf14008025ec9ed6004c3f1e2a451cde5e

Download Submit
C:\odt\spoolsv.exe

Filesize
267KB

MD5
f0b308ffa0ba67a0d0096fc426909f77

SHA1
d24802f989f73ce31a01e98133c5666f4e6d7839

SHA256
e5173df284a5b56912f29941cb7e32fe6d004dad70cce96b8e92e03cbdb78e9b

SHA512
071f2fa6b396832b0f370c0ae600f63b9320fbad098f1ef36cc588c59647a9eba4cbef8ad67f5a2f9c662e98b64c7a83c489be2dc29c09ce30ab10439d2cd3af

Download Submit
memory/312-288-0x000000001B400000-0x000000001B410000-memory.dmp

Filesize
64KB

Download
memory/312-295-0x00007FF9F2990000-0x00007FF9F2991000-memory.dmp

Filesize
4KB

Download
memory/312-285-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/312-286-0x000000001B400000-0x000000001B410000-memory.dmp

Filesize
64KB

Download
memory/312-287-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/312-289-0x000000001B400000-0x000000001B410000-memory.dmp

Filesize
64KB

Download
memory/312-300-0x000000001B400000-0x000000001B410000-memory.dmp

Filesize
64KB

Download
memory/312-290-0x00007FF9F29B0000-0x00007FF9F29B1000-memory.dmp

Filesize
4KB

Download
memory/312-292-0x00007FF9F29A0000-0x00007FF9F29A1000-memory.dmp

Filesize
4KB

Download
memory/312-299-0x000000001B400000-0x000000001B410000-memory.dmp

Filesize
64KB

Download
memory/312-298-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/312-297-0x00007FF9F2980000-0x00007FF9F2981000-memory.dmp

Filesize
4KB

Download
memory/504-6-0x00007FF9F29B0000-0x00007FF9F29B1000-memory.dmp

Filesize
4KB

Download
memory/504-16-0x000000001AFE0000-0x000000001AFEC000-memory.dmp

Filesize
48KB

Download
memory/504-53-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/504-1-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/504-2-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/504-3-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/504-10-0x0000000002550000-0x000000000255E000-memory.dmp

Filesize
56KB

Download
memory/504-11-0x00007FF9F29A0000-0x00007FF9F29A1000-memory.dmp

Filesize
4KB

Download
memory/504-4-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/504-12-0x00007FF9F2990000-0x00007FF9F2991000-memory.dmp

Filesize
4KB

Download
memory/504-17-0x00007FF9F2980000-0x00007FF9F2981000-memory.dmp

Filesize
4KB

Download
memory/504-0-0x0000000000210000-0x00000000003D0000-memory.dmp

Filesize
1.8MB

Download
memory/504-8-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/504-14-0x0000000002560000-0x000000000256C000-memory.dmp

Filesize
48KB

Download
memory/504-5-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/1444-121-0x00000135ACA40000-0x00000135ACA50000-memory.dmp

Filesize
64KB

Download
memory/1444-269-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/1444-71-0x00000135ACA40000-0x00000135ACA50000-memory.dmp

Filesize
64KB

Download
memory/1444-61-0x00000135ACA40000-0x00000135ACA50000-memory.dmp

Filesize
64KB

Download
memory/1444-260-0x00000135ACA40000-0x00000135ACA50000-memory.dmp

Filesize
64KB

Download
memory/1444-38-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/1816-54-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/1816-194-0x0000024A6CC60000-0x0000024A6CC70000-memory.dmp

Filesize
64KB

Download
memory/1816-64-0x0000024A6CC60000-0x0000024A6CC70000-memory.dmp

Filesize
64KB

Download
memory/1816-261-0x0000024A6CC60000-0x0000024A6CC70000-memory.dmp

Filesize
64KB

Download
memory/1816-72-0x0000024A6CC60000-0x0000024A6CC70000-memory.dmp

Filesize
64KB

Download
memory/1816-281-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-65-0x000001DC77290000-0x000001DC772A0000-memory.dmp

Filesize
64KB

Download
memory/2364-70-0x000001DC77480000-0x000001DC774F6000-memory.dmp

Filesize
472KB

Download
memory/2364-273-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-57-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-66-0x000001DC77290000-0x000001DC772A0000-memory.dmp

Filesize
64KB

Download
memory/2364-258-0x000001DC77290000-0x000001DC772A0000-memory.dmp

Filesize
64KB

Download
memory/2364-117-0x000001DC77290000-0x000001DC772A0000-memory.dmp

Filesize
64KB

Download
memory/4448-259-0x0000023B089D0000-0x0000023B089E0000-memory.dmp

Filesize
64KB

Download
memory/4448-59-0x0000023B089D0000-0x0000023B089E0000-memory.dmp

Filesize
64KB

Download
memory/4448-48-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/4448-58-0x0000023B089D0000-0x0000023B089E0000-memory.dmp

Filesize
64KB

Download
memory/4448-278-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/4448-60-0x0000023B20CC0000-0x0000023B20CE2000-memory.dmp

Filesize
136KB

Download
memory/4448-129-0x0000023B089D0000-0x0000023B089E0000-memory.dmp

Filesize
64KB

Download
memory/4584-69-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download
memory/4584-257-0x0000018D76730000-0x0000018D76740000-memory.dmp

Filesize
64KB

Download
memory/4584-62-0x0000018D76730000-0x0000018D76740000-memory.dmp

Filesize
64KB

Download
memory/4584-63-0x0000018D76730000-0x0000018D76740000-memory.dmp

Filesize
64KB

Download
memory/4584-202-0x0000018D76730000-0x0000018D76740000-memory.dmp

Filesize
64KB

Download
memory/4584-277-0x00007FF9D5F30000-0x00007FF9D691C000-memory.dmp

Filesize
9.9MB

Download