zgrat | 7e5dd61d1a28a21f3eeaf8ff3723b69019f83be520b6ad986a57b5de05dab438

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
Size

480KB
MD5

fd212aeaf2a519e24276516eeb1dedef
SHA1

55bb12aaac948f80f17d0f2b45db7992b92683ce
SHA256

7e5dd61d1a28a21f3eeaf8ff3723b69019f83be520b6ad986a57b5de05dab438
SHA512

8534c379b89c9c4d3f4d37dbe06bbba744e9fde7e5ff53d20eaa88eb166dc3d24e27221445546e849a34678d53b030ee5f58a72f395cf8a5e45d86e64c75508a
SSDEEP

12288:gZycYZmPGAD5HHT6O1FaxE6z1Jy7tMfHEce:gMcYZmeOz6MWE6z1JGtdce

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1704-176-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-177-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-179-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-181-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-183-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-185-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-187-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-189-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-191-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-193-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-195-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-197-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-199-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-201-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-203-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-205-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-207-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-209-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-211-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-213-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-215-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-217-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-219-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-221-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-223-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-225-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-227-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-229-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-231-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-233-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-235-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-237-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1
behavioral2/memory/1704-239-0x00000000009A0000-0x0000000000A09000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe

description	pid	process	target process
PID 1704 set thread context of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe

pid	process
4064	powershell.exe
4064	powershell.exe
3244	powershell.exe
3244	powershell.exe
4124	powershell.exe
4124	powershell.exe
5008	powershell.exe
5008	powershell.exe
2136	powershell.exe
2136	powershell.exe
3300	powershell.exe
3300	powershell.exe
740	powershell.exe
740	powershell.exe
832	powershell.exe
832	powershell.exe
4980	powershell.exe
4980	powershell.exe
2084	powershell.exe
2084	powershell.exe
2084	powershell.exe
1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeIncreaseQuotaPrivilege	4064	powershell.exe
Token: SeSecurityPrivilege	4064	powershell.exe
Token: SeTakeOwnershipPrivilege	4064	powershell.exe
Token: SeLoadDriverPrivilege	4064	powershell.exe
Token: SeSystemProfilePrivilege	4064	powershell.exe
Token: SeSystemtimePrivilege	4064	powershell.exe
Token: SeProfSingleProcessPrivilege	4064	powershell.exe
Token: SeIncBasePriorityPrivilege	4064	powershell.exe
Token: SeCreatePagefilePrivilege	4064	powershell.exe
Token: SeBackupPrivilege	4064	powershell.exe
Token: SeRestorePrivilege	4064	powershell.exe
Token: SeShutdownPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeSystemEnvironmentPrivilege	4064	powershell.exe
Token: SeRemoteShutdownPrivilege	4064	powershell.exe
Token: SeUndockPrivilege	4064	powershell.exe
Token: SeManageVolumePrivilege	4064	powershell.exe
Token: 33	4064	powershell.exe
Token: 34	4064	powershell.exe
Token: 35	4064	powershell.exe
Token: 36	4064	powershell.exe
Token: SeIncreaseQuotaPrivilege	4064	powershell.exe
Token: SeSecurityPrivilege	4064	powershell.exe
Token: SeTakeOwnershipPrivilege	4064	powershell.exe
Token: SeLoadDriverPrivilege	4064	powershell.exe
Token: SeSystemProfilePrivilege	4064	powershell.exe
Token: SeSystemtimePrivilege	4064	powershell.exe
Token: SeProfSingleProcessPrivilege	4064	powershell.exe
Token: SeIncBasePriorityPrivilege	4064	powershell.exe
Token: SeCreatePagefilePrivilege	4064	powershell.exe
Token: SeBackupPrivilege	4064	powershell.exe
Token: SeRestorePrivilege	4064	powershell.exe
Token: SeShutdownPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeSystemEnvironmentPrivilege	4064	powershell.exe
Token: SeRemoteShutdownPrivilege	4064	powershell.exe
Token: SeUndockPrivilege	4064	powershell.exe
Token: SeManageVolumePrivilege	4064	powershell.exe
Token: 33	4064	powershell.exe
Token: 34	4064	powershell.exe
Token: 35	4064	powershell.exe
Token: 36	4064	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeIncreaseQuotaPrivilege	3244	powershell.exe
Token: SeSecurityPrivilege	3244	powershell.exe
Token: SeTakeOwnershipPrivilege	3244	powershell.exe
Token: SeLoadDriverPrivilege	3244	powershell.exe
Token: SeSystemProfilePrivilege	3244	powershell.exe
Token: SeSystemtimePrivilege	3244	powershell.exe
Token: SeProfSingleProcessPrivilege	3244	powershell.exe
Token: SeIncBasePriorityPrivilege	3244	powershell.exe
Token: SeCreatePagefilePrivilege	3244	powershell.exe
Token: SeBackupPrivilege	3244	powershell.exe
Token: SeRestorePrivilege	3244	powershell.exe
Token: SeShutdownPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeSystemEnvironmentPrivilege	3244	powershell.exe
Token: SeRemoteShutdownPrivilege	3244	powershell.exe
Token: SeUndockPrivilege	3244	powershell.exe
Token: SeManageVolumePrivilege	3244	powershell.exe
Token: 33	3244	powershell.exe
Token: 34	3244	powershell.exe
Token: 35	3244	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe

description	pid	process	target process
PID 1704 wrote to memory of 4064	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4064	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4064	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 3244	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 3244	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 3244	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4124	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4124	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4124	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 5008	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 5008	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 5008	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 2136	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 2136	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 2136	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 3300	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 3300	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 3300	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 740	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 740	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 740	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 832	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 832	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 832	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4980	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4980	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4980	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 2084	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 2084	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 2084	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	powershell.exe
PID 1704 wrote to memory of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
PID 1704 wrote to memory of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
PID 1704 wrote to memory of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
PID 1704 wrote to memory of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
PID 1704 wrote to memory of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
PID 1704 wrote to memory of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
PID 1704 wrote to memory of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
PID 1704 wrote to memory of 4648	1704	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe	fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Users\Admin\AppData\Local\Temp\fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe
2⤵
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fd212aeaf2a519e24276516eeb1dedef_JaffaCakes118.exe.log
Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
be0ea1c398187bd8f21f1a41321f26ac

SHA1
24b7ccee5039680817bd4dfbb9839638655f9eee

SHA256
4a13fd633eab239f9e4f3d667f90bb16ed9d3e53e0e8b53b8199bc1d70139440

SHA512
5c53ac09e01315bd78b2b0ebe53b40bf124edb1b8725152406c4fd3432700252900a44ef89f2e8a93a45cb5e0a57e87caa76073aa2fd7cf6f9960cb5b468aaaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
63f28f5a1de7452368cf9cfb0695a085

SHA1
9d0542cbe041ddf03de20a6b9c63dbbbdac8af56

SHA256
71058ef783a11b0d998528dca6a74435bdc72dd0e199aba11e069a01613a8ce2

SHA512
c8184960461e589c9f64a0c5797c596e9267df677fe58aa05be67c9eebcad522e1d52e2393013b031683dd06580854d4d1d9afbebae2fdd14823bef3e88d18c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
731eff5861933266f8f46ac2ae8d6f12

SHA1
d2edce964d44945931ed25f71b417b89f6ef111d

SHA256
8bcf66fe618041b0401f1a9b677d3d7787d4e08279a9db47b6e5fb9c17635e13

SHA512
3d7b77f23981a3b06c246d96bd23239e6b9dd0d25aa29f8357576e31aebce3a898cacdddf252a54a966a402c96b9f01100105b3d92acf18ed7a14a67faba558b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
a4142f041f434497271f16c9cda1a7d7

SHA1
abbf23f6b2dfe19bb7981b7fe6e24ce8e8582640

SHA256
73db15ce4e388e1501f8c5338e68118776b45c669b85ff299533a53e1bd0c04b

SHA512
2c0dcdd44d2143c7f7113bb4a9079f67bd794adf2f50dcf28058c337260a244c6890fc48849decfd8202809a4582810a7dc6df6dddb86a7ada4c65889ab14c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
a4175a6422d695e94e39efd46a167b73

SHA1
52bd0cae3162acd4539fb4d1ba950eb4853bf1cf

SHA256
61154f4534bdd5590497b7dd7273d4807e5d8c455e7beb0db330616801ec3d1c

SHA512
bcb6ea97e3e6537dc447443331ab12c8aba56ad5e8b55a3f90edbdfbaa6df70833b51293f69d6079e7614a251f0f94ab14091424525a07c61812cfa79d591239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
00efa9e6c11e3692b3d167ed1bb92057

SHA1
a5ef789717bde29fd895c5f1bd273fed40c5e8b7

SHA256
b2720250e61815cf14edb3932ea58de5f6cf0f1c99b3f6cd738cdb904d8ff33e

SHA512
99a4dee7d44ef472907d706a6ba0d104312dd7199260c569405bb28ef2cda14064d22513a35e2bb21a386464d1ba50f351c859606457d8f1b59aaf01adf699d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
feebd1bce64ab42c145beca513713aca

SHA1
d891966595d4b21c1624733c3aaddcc8d3afcc56

SHA256
68bbe327f040188dbc8823a7903673b0371d6851824f8c9fd18b97952c18707a

SHA512
68f3a35fa1791416b9f4225c5ec6ba09085d52c8df6450f91a8d079f041ed18178eb095dc32871bddede871d664a99eb3135ff9c1ac0acd89221b146c882316d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
77c5ea3427515e5db4856b514e4bd484

SHA1
d5c37692566dc5fcb5dc91fe18c3cb7892fd02b2

SHA256
6af9bc3e24fd7bbfcbc29fb5c3bda92c5d8aedbd0d1a376c85a43772db7b81c8

SHA512
fe74189cac5f8cc6809d51471470da306308de54075a548eca717fdcdb54edb9e310555d5843d369854c2c3e7f4065c79a175e5ed59503e63215484eed26b4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
2d95ccda8a9642534ae77348c2ad9d13

SHA1
83e248dd2f1d435926066beaa60426afecab2cf4

SHA256
0617d87d64e0769106fe7ea1e0a3d565b7ec599c089c0fed443e4447cf48dc51

SHA512
e4fb15bb5896356d39ad75762f0a7856f2e2faa36a05978ab45ec1555be1a8c708f8ab44c97e992d1f3b091cb2df5ae5f8d4f143d8cd190512f6844524c63f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mhbv0zcy.tfe.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/740-112-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/740-111-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/740-113-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/740-125-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/832-140-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/832-126-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/832-127-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/832-128-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/1704-36-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/1704-203-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-1-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/1704-239-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-237-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-235-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-0-0x00000000000F0000-0x000000000016E000-memory.dmp

Filesize
504KB

Download
memory/1704-233-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-231-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-229-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-227-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-51-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1704-225-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-223-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-221-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-219-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-217-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-215-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-213-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-211-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-209-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-207-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-205-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-3-0x0000000004B00000-0x0000000004B92000-memory.dmp

Filesize
584KB

Download
memory/1704-201-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-199-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-197-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-195-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-193-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-191-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-189-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-187-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-185-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-183-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-181-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-179-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-177-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-176-0x00000000009A0000-0x0000000000A09000-memory.dmp

Filesize
420KB

Download
memory/1704-174-0x00000000007B0000-0x00000000007CE000-memory.dmp

Filesize
120KB

Download
memory/1704-5-0x0000000004BC0000-0x0000000004BCA000-memory.dmp

Filesize
40KB

Download
memory/1704-4-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1704-173-0x0000000000760000-0x00000000007A8000-memory.dmp

Filesize
288KB

Download
memory/1704-172-0x00000000006E0000-0x0000000000756000-memory.dmp

Filesize
472KB

Download
memory/1704-2-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/2084-171-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/2084-158-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/2084-159-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/2084-157-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/2136-83-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2136-81-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/2136-82-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2136-95-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3244-34-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3244-35-0x0000000004600000-0x0000000004610000-memory.dmp

Filesize
64KB

Download
memory/3244-37-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/3244-49-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3300-110-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3300-96-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3300-97-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/3300-98-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4064-29-0x0000000008790000-0x0000000008E0A000-memory.dmp

Filesize
6.5MB

Download
memory/4064-32-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-12-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/4064-23-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/4064-11-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/4064-8-0x0000000005700000-0x0000000005D28000-memory.dmp

Filesize
6.2MB

Download
memory/4064-10-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/4064-9-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/4064-24-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/4064-26-0x0000000006A60000-0x0000000006AF6000-memory.dmp

Filesize
600KB

Download
memory/4064-7-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-6-0x0000000004F60000-0x0000000004F96000-memory.dmp

Filesize
216KB

Download
memory/4064-28-0x0000000006B00000-0x0000000006B22000-memory.dmp

Filesize
136KB

Download
memory/4064-25-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/4064-27-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download
memory/4064-18-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/4124-50-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4124-65-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4124-52-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4124-53-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4980-141-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-143-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4980-142-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4980-144-0x0000000005D80000-0x00000000060D4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-156-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5008-66-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5008-67-0x0000000004520000-0x0000000004530000-memory.dmp

Filesize
64KB

Download
memory/5008-68-0x0000000004520000-0x0000000004530000-memory.dmp

Filesize
64KB

Download
memory/5008-80-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download