zgrat | 365f029082236e51ab346d10388e952e52ca1d99e44fa40578b3497b737a10e2

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f6fb1b358266003d7bd34cb41c6db9f.exe
Size

958KB
MD5

7f6fb1b358266003d7bd34cb41c6db9f
SHA1

19786c8603c2134c3bffc10380d6a24f7443cbdc
SHA256

365f029082236e51ab346d10388e952e52ca1d99e44fa40578b3497b737a10e2
SHA512

5889b2d550222d8477dc81c01de9f6207c96dbd81e512c7ec454fe21af6e7ba4201e3de53fa0ed6b7b76a25c7bd189da769b422605272beb31d44bfc3581e7de
SSDEEP

12288:aJz4VLFvth+w7GodQpbelTt36VM9cFH1x3w4rJh2CGqjPjdF7SiweDPsai4b:k4vv/Nv+kTVc91x3bWCjr7SeDsai6

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/996-249-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-248-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-251-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-253-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-257-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-259-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-255-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-271-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-269-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-273-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-267-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-275-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-265-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-263-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-261-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-277-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-279-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-281-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-283-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-285-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-287-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-297-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-299-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-305-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-311-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-309-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-307-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-303-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-301-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-295-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-293-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-291-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1
behavioral2/memory/996-289-0x0000000006F10000-0x0000000006F83000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	7f6fb1b358266003d7bd34cb41c6db9f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
400	powershell.exe
400	powershell.exe
1160	powershell.exe
1160	powershell.exe
1856	powershell.exe
1856	powershell.exe
4636	powershell.exe
4636	powershell.exe
2912	powershell.exe
2912	powershell.exe
228	powershell.exe
228	powershell.exe
3636	powershell.exe
3636	powershell.exe
4112	powershell.exe
4112	powershell.exe
2140	powershell.exe
2140	powershell.exe
4416	powershell.exe
4416	powershell.exe
3780	powershell.exe
3780	powershell.exe
468	powershell.exe
468	powershell.exe
4428	powershell.exe
4428	powershell.exe
964	powershell.exe
964	powershell.exe
4504	powershell.exe
4504	powershell.exe
996	7f6fb1b358266003d7bd34cb41c6db9f.exe
996	7f6fb1b358266003d7bd34cb41c6db9f.exe
556	7f6fb1b358266003d7bd34cb41c6db9f.exe
556	7f6fb1b358266003d7bd34cb41c6db9f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	powershell.exe
Token: SeSecurityPrivilege	400	powershell.exe
Token: SeTakeOwnershipPrivilege	400	powershell.exe
Token: SeLoadDriverPrivilege	400	powershell.exe
Token: SeSystemProfilePrivilege	400	powershell.exe
Token: SeSystemtimePrivilege	400	powershell.exe
Token: SeProfSingleProcessPrivilege	400	powershell.exe
Token: SeIncBasePriorityPrivilege	400	powershell.exe
Token: SeCreatePagefilePrivilege	400	powershell.exe
Token: SeBackupPrivilege	400	powershell.exe
Token: SeRestorePrivilege	400	powershell.exe
Token: SeShutdownPrivilege	400	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeSystemEnvironmentPrivilege	400	powershell.exe
Token: SeRemoteShutdownPrivilege	400	powershell.exe
Token: SeUndockPrivilege	400	powershell.exe
Token: SeManageVolumePrivilege	400	powershell.exe
Token: 33	400	powershell.exe
Token: 34	400	powershell.exe
Token: 35	400	powershell.exe
Token: 36	400	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	powershell.exe
Token: SeSecurityPrivilege	400	powershell.exe
Token: SeTakeOwnershipPrivilege	400	powershell.exe
Token: SeLoadDriverPrivilege	400	powershell.exe
Token: SeSystemProfilePrivilege	400	powershell.exe
Token: SeSystemtimePrivilege	400	powershell.exe
Token: SeProfSingleProcessPrivilege	400	powershell.exe
Token: SeIncBasePriorityPrivilege	400	powershell.exe
Token: SeCreatePagefilePrivilege	400	powershell.exe
Token: SeBackupPrivilege	400	powershell.exe
Token: SeRestorePrivilege	400	powershell.exe
Token: SeShutdownPrivilege	400	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeSystemEnvironmentPrivilege	400	powershell.exe
Token: SeRemoteShutdownPrivilege	400	powershell.exe
Token: SeUndockPrivilege	400	powershell.exe
Token: SeManageVolumePrivilege	400	powershell.exe
Token: 33	400	powershell.exe
Token: 34	400	powershell.exe
Token: 35	400	powershell.exe
Token: 36	400	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeIncreaseQuotaPrivilege	1160	powershell.exe
Token: SeSecurityPrivilege	1160	powershell.exe
Token: SeTakeOwnershipPrivilege	1160	powershell.exe
Token: SeLoadDriverPrivilege	1160	powershell.exe
Token: SeSystemProfilePrivilege	1160	powershell.exe
Token: SeSystemtimePrivilege	1160	powershell.exe
Token: SeProfSingleProcessPrivilege	1160	powershell.exe
Token: SeIncBasePriorityPrivilege	1160	powershell.exe
Token: SeCreatePagefilePrivilege	1160	powershell.exe
Token: SeBackupPrivilege	1160	powershell.exe
Token: SeRestorePrivilege	1160	powershell.exe
Token: SeShutdownPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeSystemEnvironmentPrivilege	1160	powershell.exe
Token: SeRemoteShutdownPrivilege	1160	powershell.exe
Token: SeUndockPrivilege	1160	powershell.exe
Token: SeManageVolumePrivilege	1160	powershell.exe
Token: 33	1160	powershell.exe
Token: 34	1160	powershell.exe
Token: 35	1160	powershell.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 400	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	88
PID 996 wrote to memory of 400	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	88
PID 996 wrote to memory of 400	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	88
PID 996 wrote to memory of 1160	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	96
PID 996 wrote to memory of 1160	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	96
PID 996 wrote to memory of 1160	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	96
PID 996 wrote to memory of 1856	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	101
PID 996 wrote to memory of 1856	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	101
PID 996 wrote to memory of 1856	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	101
PID 996 wrote to memory of 4636	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	102
PID 996 wrote to memory of 4636	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	102
PID 996 wrote to memory of 4636	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	102
PID 996 wrote to memory of 2912	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	104
PID 996 wrote to memory of 2912	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	104
PID 996 wrote to memory of 2912	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	104
PID 996 wrote to memory of 228	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	107
PID 996 wrote to memory of 228	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	107
PID 996 wrote to memory of 228	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	107
PID 996 wrote to memory of 3636	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	108
PID 996 wrote to memory of 3636	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	108
PID 996 wrote to memory of 3636	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	108
PID 996 wrote to memory of 4112	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	111
PID 996 wrote to memory of 4112	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	111
PID 996 wrote to memory of 4112	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	111
PID 996 wrote to memory of 2140	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	113
PID 996 wrote to memory of 2140	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	113
PID 996 wrote to memory of 2140	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	113
PID 996 wrote to memory of 4416	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	115
PID 996 wrote to memory of 4416	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	115
PID 996 wrote to memory of 4416	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	115
PID 996 wrote to memory of 3780	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	117
PID 996 wrote to memory of 3780	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	117
PID 996 wrote to memory of 3780	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	117
PID 996 wrote to memory of 468	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	119
PID 996 wrote to memory of 468	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	119
PID 996 wrote to memory of 468	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	119
PID 996 wrote to memory of 4428	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	121
PID 996 wrote to memory of 4428	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	121
PID 996 wrote to memory of 4428	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	121
PID 996 wrote to memory of 964	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	123
PID 996 wrote to memory of 964	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	123
PID 996 wrote to memory of 964	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	123
PID 996 wrote to memory of 4504	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	125
PID 996 wrote to memory of 4504	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	125
PID 996 wrote to memory of 4504	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	125
PID 996 wrote to memory of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127
PID 996 wrote to memory of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127
PID 996 wrote to memory of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127
PID 996 wrote to memory of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127
PID 996 wrote to memory of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127
PID 996 wrote to memory of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127
PID 996 wrote to memory of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127
PID 996 wrote to memory of 556	996	7f6fb1b358266003d7bd34cb41c6db9f.exe	127

C:\Users\Admin\AppData\Local\Temp\7f6fb1b358266003d7bd34cb41c6db9f.exe
"C:\Users\Admin\AppData\Local\Temp\7f6fb1b358266003d7bd34cb41c6db9f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\7f6fb1b358266003d7bd34cb41c6db9f.exe
  C:\Users\Admin\AppData\Local\Temp\7f6fb1b358266003d7bd34cb41c6db9f.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7f6fb1b358266003d7bd34cb41c6db9f.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
b2378784b7df02e0f76120f6ce1925c1

SHA1
b74f0317edfe6fac6c7695ac4a9106c595221d64

SHA256
f9617ebaa4c0d935c7752d50ab8628e811a8156e50aae86b70a0d0e78bd6da04

SHA512
e6b037a20bf9dca2c1f4cb79d364f7063e8ee161a796a3fbc177aefa39801958ef744bbb8a0abd3b83346bdc74045215a4d9fbb5d5303d22ce4a512a6d463561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
1b405165ca8b1637d1b09f53b792ea8a

SHA1
be4b1a91c6a839fdf1fc5375c0256cf984a92050

SHA256
ddc9f628b87fd83fe604143a2a12d169df0ca3efbd59a29ab1327750d9128a83

SHA512
8b4b5967d497c350b0d86794dd4dffff995b2a27bcea3c028c5b8d641b4ae0459ff83fc90885b9480f2fbdb03272124b1d0cd53c1b824c75b70eefa68612c91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
0a4184e590efba0e701b83ee60ad7b28

SHA1
a3947dcb826fddc1017b497150882fc76439d904

SHA256
e62aa65fb6503482fca8a7ef55eb773dbe66f508bd34964db3eac834422a1bb7

SHA512
d7625d97363ee79a4e4800d0d31e076d04b554916acbc27fa82409f320a859c89a15c58b948d8e901673d36bedd71bde07b4f5db53f328a05d0153a1ff4c2810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
7092e3220289ecb6aa837d676343e1be

SHA1
782411c65f9824147e26d926918dd38e7eb819f0

SHA256
b9dd1f3dfb677f0e5f24e548cf73e8f47b564eb7696d782c21d2133249d58983

SHA512
2bd08cec1be69cc7b10fccff9aa748dd3a899db3bcc96cb57dce0d0bc6b1d0eb2cbbe426b1466aae6a20ebb187a44a50b7b549c0e78551027013abfd80116460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
ab1ec5960c500e843fe826802bc9f94d

SHA1
71e8ef7952c426aadcbbf12b9af3676de8825c68

SHA256
5c02807f2b79e5c53f6a29316ba66eee40f86a0ac8c0baafb6bf2047c706fc33

SHA512
cb0139ffe68ed1398019fc9d573a15892f79ed23b521f2157e4337901e0bd32d67df0ecf0efb60e583113b348087610f8e397b99149a2d0aa6fd11beed58c680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
61bcbcf22e02407c2d55fd768129e682

SHA1
d39f870362cf5f14c281b42b08db1c9e97ff6d50

SHA256
64ef3f0aaa3deedb7362dfd0f542ec8b320e6f632459c578cd29912bd8bf12ba

SHA512
5211d2d7fd758e93efdd183294908316e0a119fed6fdf110e4d57f3fbd7c573d887704ea0c2f1b23cbfe9c424bdcaf3565e524a761b7717ddc8a053c6430b86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
33f6030e09555b29a19db45c3263506b

SHA1
3ec64aec47ec01b54e59a14e98d9eda9f0f48c88

SHA256
808cceb0d076e6dbe019b2f3514b247875fabbe4a6c982348f2a3f0791052a96

SHA512
51dacddfe1fff42b3577052d6e5364cc769b4d511eb0dd955c6532e31bd0c47552d8a83ab106132a077841d1f4a1ef15cdc24fe6e5ce211de91e5f6ef5e3bb15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
8a606219e4a81c5012e2a34e4e94139b

SHA1
a97790be96ee6a3b60217cb9cdffb5a85dfe8c15

SHA256
aa651baa407032053b1c85138cd91fc97e23d24cc11982932c878f9469f83841

SHA512
c1e4719f3fe9859a4d2051c20580ca0b5570e46640068762cb9f3cf5423ad6b3d4e1cb3dcf74caf22489909e7a54dcbeb7c2d0c3815d4a3e617af03a04e2e7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
fb038fd4c993c225ca01a2db740831f5

SHA1
452307f8f342462487f93ef557312760c48c3ae7

SHA256
7455829a45708dcbf081bec194f200059cca25e0f8473397f2d5daf331a01bd7

SHA512
bbae63267c8c1cdc068ab4df5780ca030c5a1f3fab36a9041e607afe18b02df2b81e7db22885c73d79028c104762834bd143cd27ef0a08fffbe6ce14c5f1b925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
9962784139f2caca3cf3098cb25ada02

SHA1
d34b785977594b2ad546e82c21edc5d50fd8c208

SHA256
b2a7991179e523a506edd8a938caf8428149648e61a9443a135d9849ca15d528

SHA512
d1e86c04e051c82acbbb72d52e4197f806dd5f1d21d292336d4a504e6ee8169476ac5815eb44a4b891412ed525085c817cc64687bb9b772acde5c024c0d7dc2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
b2ac308b46f012c2dfae7d95a52a131b

SHA1
8587308984cfe3860af2e0bc875720ce50db81de

SHA256
3395f9c4916f7648924c0b46335170a7a48e69b2ecd4dda5370b7a7817922b19

SHA512
f292c0d342465600f99291d9d47fb3251221189db024dba80edeafda16ab80e8e84855ae25b0ac074bd10611edb31dde4c668ddebb837c755e385abc1f71ab8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
8c6640d2b5b5921256721385683b7719

SHA1
a489d7ecd4177b68a5cb454c8a92e333faefdf3e

SHA256
480eb35d776a494861ab7d2e7f79abaefb9a3f2b68c122119a640d6347e283f1

SHA512
33eb52de42f244f56721401464ed85869f7b6252136581cd03a529bb2701bb1a2d8852bb7d5d7dec6ac60c8283720eca4107fbf035e8d15326438aea637b745a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
1109c137a4463cedc88abb06cf4f96e8

SHA1
4409977668b21b432dc19fe61865a27357cc38d5

SHA256
caad9ffbb35d23ed84f54ae159d4887098b70652d2959e276201bbef97d3243c

SHA512
cc7c12363f2439708bfd16898c8da82a2379244eb75a73ba206c2c8672f3a84ee4a61b5594deff0b7144788fb578a677776964b521bad715123d119fe667bc77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
ade2e2636cabba76cfa35dfbcd039973

SHA1
ef38ccfad47d3bf049dba114e7fe2cc80bbe0f55

SHA256
23bd7dea41c6a4d243e30eeddc3d1f8d460ccd99d1b0a1f223ad0e8f92f4643b

SHA512
8d29c4326d3a590ad9ce0048d8b73abcec1c7dfdd7e50055bfef4304549625a50042fcfd6b21feda9028260172247de8f6b7820cb02cd66166d5910e30ae3ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hiyqhxlp.opr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/228-101-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/228-114-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/228-102-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/228-100-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/400-10-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/400-30-0x0000000008AC0000-0x000000000913A000-memory.dmp

Filesize
6.5MB

Download
memory/400-33-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/400-27-0x0000000007840000-0x00000000078D6000-memory.dmp

Filesize
600KB

Download
memory/400-28-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/400-29-0x0000000006DB0000-0x0000000006DD2000-memory.dmp

Filesize
136KB

Download
memory/400-26-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/400-25-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/400-24-0x00000000063C0000-0x0000000006714000-memory.dmp

Filesize
3.3MB

Download
memory/400-16-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/400-13-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/400-12-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/400-8-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/400-9-0x0000000005C90000-0x00000000062B8000-memory.dmp

Filesize
6.2MB

Download
memory/400-11-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/400-7-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/996-311-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-0-0x0000000000E00000-0x0000000000EF4000-memory.dmp

Filesize
976KB

Download
memory/996-305-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-70-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/996-299-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-66-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/996-297-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-287-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-285-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-283-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-281-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-307-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-279-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-303-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-301-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-295-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-293-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-291-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-277-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-261-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-263-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-309-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-265-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-275-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-267-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-273-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-289-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-269-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-271-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-255-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-259-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-6-0x0000000005B70000-0x0000000005BD0000-memory.dmp

Filesize
384KB

Download
memory/996-257-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-253-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-251-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-248-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-5-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/996-249-0x0000000006F10000-0x0000000006F83000-memory.dmp

Filesize
460KB

Download
memory/996-4-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/996-3-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/996-2-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/996-1-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1160-47-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/1160-50-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1160-35-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1160-37-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/1160-36-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/1856-52-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/1856-65-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1856-53-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/1856-51-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2140-147-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/2140-146-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/2140-145-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2140-159-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2912-99-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2912-96-0x0000000005B30000-0x0000000005E84000-memory.dmp

Filesize
3.3MB

Download
memory/2912-84-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2912-86-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2912-85-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3636-129-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3636-117-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/3636-116-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/3636-115-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4112-144-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4112-132-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/4112-131-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/4112-130-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4416-174-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4416-160-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4416-162-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/4416-161-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/4636-80-0x00000000059B0000-0x0000000005D04000-memory.dmp

Filesize
3.3MB

Download
memory/4636-69-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/4636-68-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/4636-67-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4636-83-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download