zgrat | 099d824705f8ae8fc4a018a21a7c893de9385841dcb6c9629e2565c718368c05

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
Size

939KB
MD5

f8170ab44e4c08d2088104a02aae5f40
SHA1

e03ecbc4d42e94818ef900ba50e1ffaa25c59281
SHA256

099d824705f8ae8fc4a018a21a7c893de9385841dcb6c9629e2565c718368c05
SHA512

fedf7b92f800ed3e990d93e13db6104a1a99cb9d91bfbe8c1683764c1b11ce63b05d54260a4936da991d09b439559a05dd5b73720a3648401539d08abbb38b48
SSDEEP

12288:WjVLFvth+w7GodQpbelTQ2JK7Q0+AnCG53rfFBe1QZoU8:Wjvv/Nv+kTQ2XNYCG5TFBeOuU8

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3076-245-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-246-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-248-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-250-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-252-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-260-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-264-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-262-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-258-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-256-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-266-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-254-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-270-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-272-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-268-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-276-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-278-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-274-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-280-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-282-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-290-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-296-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-298-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-304-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-308-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-306-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-302-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-300-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-294-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-292-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-288-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-286-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1
behavioral2/memory/3076-284-0x00000000009A0000-0x0000000000A13000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3632	powershell.exe
3632	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
2316	powershell.exe
2316	powershell.exe
2316	powershell.exe
3216	powershell.exe
3216	powershell.exe
4560	powershell.exe
4560	powershell.exe
4992	powershell.exe
4992	powershell.exe
2224	powershell.exe
2224	powershell.exe
456	powershell.exe
456	powershell.exe
3868	powershell.exe
3868	powershell.exe
552	powershell.exe
552	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeIncreaseQuotaPrivilege	3632	powershell.exe
Token: SeSecurityPrivilege	3632	powershell.exe
Token: SeTakeOwnershipPrivilege	3632	powershell.exe
Token: SeLoadDriverPrivilege	3632	powershell.exe
Token: SeSystemProfilePrivilege	3632	powershell.exe
Token: SeSystemtimePrivilege	3632	powershell.exe
Token: SeProfSingleProcessPrivilege	3632	powershell.exe
Token: SeIncBasePriorityPrivilege	3632	powershell.exe
Token: SeCreatePagefilePrivilege	3632	powershell.exe
Token: SeBackupPrivilege	3632	powershell.exe
Token: SeRestorePrivilege	3632	powershell.exe
Token: SeShutdownPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeSystemEnvironmentPrivilege	3632	powershell.exe
Token: SeRemoteShutdownPrivilege	3632	powershell.exe
Token: SeUndockPrivilege	3632	powershell.exe
Token: SeManageVolumePrivilege	3632	powershell.exe
Token: 33	3632	powershell.exe
Token: 34	3632	powershell.exe
Token: 35	3632	powershell.exe
Token: 36	3632	powershell.exe
Token: SeIncreaseQuotaPrivilege	3632	powershell.exe
Token: SeSecurityPrivilege	3632	powershell.exe
Token: SeTakeOwnershipPrivilege	3632	powershell.exe
Token: SeLoadDriverPrivilege	3632	powershell.exe
Token: SeSystemProfilePrivilege	3632	powershell.exe
Token: SeSystemtimePrivilege	3632	powershell.exe
Token: SeProfSingleProcessPrivilege	3632	powershell.exe
Token: SeIncBasePriorityPrivilege	3632	powershell.exe
Token: SeCreatePagefilePrivilege	3632	powershell.exe
Token: SeBackupPrivilege	3632	powershell.exe
Token: SeRestorePrivilege	3632	powershell.exe
Token: SeShutdownPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeSystemEnvironmentPrivilege	3632	powershell.exe
Token: SeRemoteShutdownPrivilege	3632	powershell.exe
Token: SeUndockPrivilege	3632	powershell.exe
Token: SeManageVolumePrivilege	3632	powershell.exe
Token: 33	3632	powershell.exe
Token: 34	3632	powershell.exe
Token: 35	3632	powershell.exe
Token: 36	3632	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeIncreaseQuotaPrivilege	5096	powershell.exe
Token: SeSecurityPrivilege	5096	powershell.exe
Token: SeTakeOwnershipPrivilege	5096	powershell.exe
Token: SeLoadDriverPrivilege	5096	powershell.exe
Token: SeSystemProfilePrivilege	5096	powershell.exe
Token: SeSystemtimePrivilege	5096	powershell.exe
Token: SeProfSingleProcessPrivilege	5096	powershell.exe
Token: SeIncBasePriorityPrivilege	5096	powershell.exe
Token: SeCreatePagefilePrivilege	5096	powershell.exe
Token: SeBackupPrivilege	5096	powershell.exe
Token: SeRestorePrivilege	5096	powershell.exe
Token: SeShutdownPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeSystemEnvironmentPrivilege	5096	powershell.exe
Token: SeRemoteShutdownPrivilege	5096	powershell.exe
Token: SeUndockPrivilege	5096	powershell.exe
Token: SeManageVolumePrivilege	5096	powershell.exe
Token: 33	5096	powershell.exe
Token: 34	5096	powershell.exe
Token: 35	5096	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

description	pid	process	target process
PID 3076 wrote to memory of 3632	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3632	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3632	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 5096	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 5096	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 5096	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2684	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2684	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2684	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2172	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2172	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2172	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3100	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3100	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3100	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4820	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4820	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4820	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 1840	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 1840	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 1840	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2316	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2316	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2316	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3216	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3216	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3216	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4560	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4560	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4560	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4992	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4992	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 4992	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2224	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2224	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 2224	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 456	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 456	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 456	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3868	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3868	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 3868	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 552	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 552	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 3076 wrote to memory of 552	3076	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d325cfe1690cac679d6db6ee61c75614

SHA1
f5e8102f2e4d07b9b016addeb648e67a958a6242

SHA256
e70238629ffd150a642016f458ded53c67464e573b81c1cb43d0b2f56727347e

SHA512
9d50586435427744407194308a89f130097dd932c4d532fd5a6e87c1bc409ca786faf0b8fdacc24e9c98395a0d9c3adfdd383eaa5463d6b8fa8a7ba38ce0c823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
988dd4c163501e0c1bb41aa5d39b45f8

SHA1
caddfa78e75970eca2446916191ba4defbb0fc8d

SHA256
3d00fc687372cd9543ed6132495e0e3c34dea4bc3cc08c785d574b28eac843ae

SHA512
5316aca03362c653eac48e43476b5f3d3ad0a9287bc21b4ddb1a47bfdc6439574b1f0b09a5c6a35e316bdd77cd4ca0a3598bfe415e8773dc6618214ab0581dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
64078470d214cf3134d061c1c13970f8

SHA1
680c79cae63487ddeab20b7a79e7f90cf294d6fa

SHA256
5c60c4e1f90f5bf8b6be35cba92fe57bd2e010b288a8fa9c265d82c09b76d146

SHA512
eb4c109f49c6202cfe65933bcd9ae9088aa1dbe35cb2cbfbc11bd2dccc7791a0ba1a12db2c2c823af3921d0296b6fa2e3648c356069c305daf473daad192b3c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
53aaa082266ccc87d05fdd9222f977c5

SHA1
e2a1a700476ab88cde662b6aacea3384d36e52c8

SHA256
e8f8961ee5c02045449eccd7f6ed16a59436177c9390bfc51a3c37c522e866f5

SHA512
12b31dba639d570751750f7212718dfe8f63757884ff01f164116f8b9cd1766dbd97e1778e2aa48977b44a064a5be6741b7f308286453f37adf14d19f87852d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
069aaaa802c91b8ad7b9bdd1bddc1f5f

SHA1
79a2d394e929758d85080f2edf3147e6cc9bd77a

SHA256
06fc2641a467501e7cdfb4046a1755f91d184e3e7a24e512397865f3c5cb92f3

SHA512
38a4fe5f290fe8f92134fbe9bc45e948b93292f319c9007e39098f6a4753bb70c7995d2b62dcbb90cf6334fcdb5383dd63a50ebf227c1437850bb37aa282cf1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f49337712ccaf0de81e2debb91660f05

SHA1
973bcef397e3ef277ee1540b54b33347e4f025e0

SHA256
3c7b43c4da716304ef4242bb52c4a15a286db7501d906bfc8c3faa038f28be58

SHA512
de7212c55bfefb4e17f3a30a53036ed2c183754c2f580520cd145add58dcab0aed024be743eee45b3820f6f1deb074ba70aa2fbca88d7eb951c159b4151b71da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f4a118db52dbed7e436505b64d116046

SHA1
927e4112e6cbaa0d6cf1db84104c9d504daefa8c

SHA256
0b69901593523a66d80f76e03fff276c8b4d63b871fb103e4deacb32da994f69

SHA512
921bd5fb8255968ce0a01860609f08effce0a462bee7eca1692ba03ce1104fdd7871fd834d5d939630d876ba9b72db54fda4ce4cfa083fb5706d914dd5c396a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e0653623c14d095b4861f12d3bd9bf93

SHA1
863ef8e872b682385ba05a2ad8d6a6074a17560c

SHA256
78cb6560f8e3b72419a9f5c4634c8ef6bebeca734bf3e4061da0e8ab32492f93

SHA512
1ddb41fbf81901dd270d3c23573772319c7dbcd0da9a6fa90f91c9dcc0a5f7e1bf66cb22b88b10c4e3d7c3ce94908bb4dd3c043a1cbdc357706c1025611f3865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c863760e4970128bf8b84dbae50c4b14

SHA1
b8d1a468cce272cd8ec2bad19155ee11cca82f8a

SHA256
f7f659684d3a4c6abb8fc17660b6fb9022378d449de2a449adbf56107aaca252

SHA512
e1613a2a9f63eb7ddbd3b2f434af60839f0e87dd547d14732b2d3c81e97657bb7061c160eb304e12ae74758a85d2848ab369011246cf843e2b1aa40c2848e69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
0b6e6addff64bb2f4bfe372dc0bec503

SHA1
25739609cfc01c948184bf64c19ad49df3d07e61

SHA256
2d6ceb32faba7c3c6e843146e40cdb0c69a31ea52d58fc933322b9d60c6e0eb7

SHA512
470e58155278fe5f661eef6c9fd75dea4fd87773d4eaf70634f6bc26f9739bc4720e5a5c45b38807effd51973b96c1dce93917233831d2cd8faaa9434df15dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
37626b5739267e68cb572f506973b9c9

SHA1
00490524a4f548b8f72fe315ebbe9cecd62de53e

SHA256
5bf1fb0ff613b562496394bd46f3565d0ec35d017c42d4f8772771d6d77f7158

SHA512
6070daeb23096680cb585ea04cd85737902f54d7d2775bb0b38917815090cb05b2ac43622956fc351a756b36cf61f71fdff57390ea4d12d7c318429ea6e3a107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
eba1eb2627ca7bf0afe1166211b0ac74

SHA1
8fb46ddda3ddc9801ed3489b273853a6419f35e4

SHA256
82b97ca6bcf455e67d39fea53859d88fdafe05867e5967f4f2be12ba5491d5f0

SHA512
4cded9ccffc307d871c00bf3cc5333ef63dbf837b36633ef246bf42a197f5f8c88078c20de303be3b9479d235e53ec76dd8ee05c757f42bf57a736d472b26cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3c687e7883cba0a0af2ff779098b52bf

SHA1
07426b1d43f3c3c6c20148352d53abe37ff6ea28

SHA256
dabb231835ad7592cf68b3f9ec852dfda178443beb9d1237c29e93ba5e923f39

SHA512
877c84cf7c7dbf02e2ef45c811484dc1befc64b5d8308236b77c7fb60824c616a84537e6e2e2114ee1ada0014c8c74cc7058ffc52217bb80b2efbcaeb57fc63d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a0cd3fea1340c92d1a65358f773593c8

SHA1
19893342f74568614902f8fe28a8b91c86f3270f

SHA256
c10168fe10ab847f90ddb956f79d0e11879cd042c46f7c0b5830d1303b0b6054

SHA512
4db3b835c630d5578f82728aaac63c81d223c172f893d07be95cd3da2180bfb0a54411112b1176222c8223a53f6c3ade3f5c014ee79c967474a80426c143d2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1il2120q.z1r.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1840-125-0x0000000006500000-0x0000000006854000-memory.dmp

Filesize
3.3MB

Download
memory/1840-114-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1840-115-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1840-128-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-70-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-81-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/2172-71-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2172-84-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2316-129-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2316-130-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2316-142-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2684-69-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2684-57-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/2684-56-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/2684-55-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3076-250-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-258-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-284-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-286-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-288-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-292-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-294-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-300-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-31-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3076-302-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-306-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-308-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-246-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-245-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-1-0x0000000000010000-0x0000000000100000-memory.dmp

Filesize
960KB

Download
memory/3076-27-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3076-2-0x0000000005110000-0x00000000056B4000-memory.dmp

Filesize
5.6MB

Download
memory/3076-304-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-298-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-296-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-290-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-282-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-280-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-274-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-278-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-276-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-268-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-272-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-270-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-254-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-3-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/3076-4-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3076-0-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3076-5-0x0000000004B80000-0x0000000004B8A000-memory.dmp

Filesize
40KB

Download
memory/3076-266-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-252-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-256-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-248-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-262-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-6-0x0000000004D40000-0x0000000004D96000-memory.dmp

Filesize
344KB

Download
memory/3076-264-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3076-260-0x00000000009A0000-0x0000000000A13000-memory.dmp

Filesize
460KB

Download
memory/3100-99-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3100-87-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/3100-86-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/3100-85-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3216-158-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3216-155-0x0000000006180000-0x00000000064D4000-memory.dmp

Filesize
3.3MB

Download
memory/3216-145-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/3216-143-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3216-144-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/3632-24-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/3632-14-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/3632-37-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-33-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-32-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/3632-30-0x0000000006230000-0x0000000006252000-memory.dmp

Filesize
136KB

Download
memory/3632-29-0x00000000061E0000-0x00000000061FA000-memory.dmp

Filesize
104KB

Download
memory/3632-28-0x0000000006280000-0x0000000006316000-memory.dmp

Filesize
600KB

Download
memory/3632-7-0x0000000004730000-0x0000000004766000-memory.dmp

Filesize
216KB

Download
memory/3632-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-9-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/3632-10-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/3632-11-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/3632-12-0x0000000005560000-0x0000000005582000-memory.dmp

Filesize
136KB

Download
memory/3632-13-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/3632-26-0x0000000005D50000-0x0000000005D9C000-memory.dmp

Filesize
304KB

Download
memory/3632-25-0x0000000004A70000-0x0000000004A8E000-memory.dmp

Filesize
120KB

Download
memory/4560-159-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-173-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-160-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/4560-161-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/4820-110-0x0000000005460000-0x00000000057B4000-memory.dmp

Filesize
3.3MB

Download
memory/4820-100-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-113-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4992-187-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4992-174-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4992-175-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/5096-54-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/5096-39-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/5096-40-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/5096-50-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download