Overview

overview

10

Static

static

3

61c51c7ab2...34.exe

windows7-x64

10

61c51c7ab2...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe

  • Size

    7.2MB

  • MD5

    5446af14bfb2bf63ec1b409a0752f2bb

  • SHA1

    2d0ed53f2bab261a09e50e35b95f896ddf6dd688

  • SHA256

    61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434

  • SHA512

    3f96ff6656d7937fe3be66688c5559a238be9e0277373dd8a325f2e36fbd50095285ae8da8db0b59f0706b9514bdf54f2f66da81caf4d2818b9c9d20d5cff436

  • SSDEEP

    49152:OSa5+lvH/3ehlWOU9Hl73KkPjOMVMC21gt9dmFF9KINW1FQr7qrzW+x30rY6yTK4:A0X3IWbXPjObC9CFAArmGm3U0KFK/j

Score
10/10
zgratexecutionrat

Malware Config

Signatures

  • Detect ZGRat V1 32 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
    "C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe
      "C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Users\Admin\AppData\Local\Temp\Logger.exe
        "C:\Users\Admin\AppData\Local\Temp\Logger.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Users\Admin\AppData\Local\Temp\1.exe
          "C:\Users\Admin\AppData\Local\Temp\1.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1700
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\MoUsoCoreWorker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\OfficeClickToRun.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\SearchApp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4408
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZUbT20fZjh.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:6064
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:5512
              • C:\Windows\GameBarPresenceWriter\lsass.exe
                "C:\Windows\GameBarPresenceWriter\lsass.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:5964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\MoUsoCoreWorker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\TAPI\MoUsoCoreWorker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\MoUsoCoreWorker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Prefetch\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\GameBarPresenceWriter\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "11" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "11" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:468

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      440cb38dbee06645cc8b74d51f6e5f71

      SHA1

      d7e61da91dc4502e9ae83281b88c1e48584edb7c

      SHA256

      8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

      SHA512

      3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e907f77659a6601fcc408274894da2e

      SHA1

      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

      SHA256

      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

      SHA512

      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      cadef9abd087803c630df65264a6c81c

      SHA1

      babbf3636c347c8727c35f3eef2ee643dbcc4bd2

      SHA256

      cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

      SHA512

      7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      62623d22bd9e037191765d5083ce16a3

      SHA1

      4a07da6872672f715a4780513d95ed8ddeefd259

      SHA256

      95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

      SHA512

      9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      3a6bad9528f8e23fb5c77fbd81fa28e8

      SHA1

      f127317c3bc6407f536c0f0600dcbcf1aabfba36

      SHA256

      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

      SHA512

      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e243a38635ff9a06c87c2a61a2200656

      SHA1

      ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

      SHA256

      af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

      SHA512

      4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e448fe0d240184c6597a31d3be2ced58

      SHA1

      372b8d8c19246d3e38cd3ba123cc0f56070f03cd

      SHA256

      c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

      SHA512

      0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1.exe
      Filesize

      6.3MB

      MD5

      4e2c3489ec26807d69f9171479886188

      SHA1

      40f8c57e6918d1626177810c6f1b5a65d9bf93d1

      SHA256

      33466d0c92e0fb64d98b89ca503976b86cfd5400c387aeb9dd66f096b4c14ca9

      SHA512

      0ed949039d77b4777f8da9ede1e245b22759fa2bd86ec90692c216263a27693264f926ad256336a8b4e2e688c05deb4790ba0a2799479213a9cb9960787f0d3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Logger.exe
      Filesize

      6.6MB

      MD5

      48bfaeb0285f1b090cbf09e2feb6ad10

      SHA1

      67d25ecce37f5a70ec950758351e81593b99ed05

      SHA256

      d8c19254251b41d6f815582ba4c018994cae3bdf3677e198a88138a43aaaf15e

      SHA512

      f8f19c480a72dcb1a88585a94c95767dfdaab0320aafd46f61309385fd9f7e68a8b392801ab243e7c545f43cd9e23366aa94814a05d9f9a0b604c22ab81ad08d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe
      Filesize

      6.9MB

      MD5

      d22490055518bbf8d44579a00453da46

      SHA1

      d738768635f9646c71b98befc3bf2a4c9f5c29e3

      SHA256

      ee2c37126091fa67a5b5abbf7ac2a4271514ec7620aef87b34d42e80c576cd0a

      SHA512

      ecdd5baf602b3e9e59f15b47ad3925026568be9fdf1d384cc3dbae2b292abbf1878cbd1f919cf680442c65a9299c3496d9f03fed8b8504ba34f805e5ef984f08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ZUbT20fZjh.bat
      Filesize

      170B

      MD5

      51a4e7c97e96b02c826054eb69067630

      SHA1

      47970ce3cec0a4aad59d4d23f4d4791dc36adfff

      SHA256

      b378e635ad7131bda60b4067407419194ac9140f093d793097547760fff6fe80

      SHA512

      cc6b6867a8241659a2a13d1fb3dac070335737fa1c0b2fed487b3f49fbe86b9845a0c341dba79a586ae7f7b215db76f0b4940359ed10b9552a72c7e6b21b11e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0egkcpc0.zse.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1516-34-0x0000000000400000-0x0000000000A98000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3744-41-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-3603-0x000000001C390000-0x000000001C3A8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3744-90-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-88-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-86-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-84-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-82-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-76-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-74-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-72-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-68-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-66-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-64-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-70-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-62-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-60-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-58-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-56-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-52-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-50-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-46-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-45-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-94-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-38-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-3594-0x000000001C360000-0x000000001C386000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3744-3596-0x0000000003070000-0x000000000307E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3744-3598-0x00000000031C0000-0x00000000031DC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3744-3599-0x000000001C3E0000-0x000000001C430000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3744-3601-0x0000000003080000-0x0000000003090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-92-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-3605-0x00000000031A0000-0x00000000031B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-3607-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-3609-0x00000000031E0000-0x00000000031EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3744-3611-0x000000001C430000-0x000000001C442000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3744-3613-0x000000001C3B0000-0x000000001C3C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-3615-0x000000001CD10000-0x000000001CD26000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3744-3617-0x000000001CD30000-0x000000001CD42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3744-3618-0x000000001D280000-0x000000001D7A8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3744-3620-0x000000001C3C0000-0x000000001C3CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3744-3622-0x000000001C3D0000-0x000000001C3E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-3624-0x000000001CD50000-0x000000001CD60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-3626-0x000000001CDC0000-0x000000001CE1A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/3744-3628-0x000000001CD60000-0x000000001CD6E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3744-3630-0x000000001CD70000-0x000000001CD80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-3632-0x000000001CD80000-0x000000001CD8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3744-3634-0x000000001CE20000-0x000000001CE38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3744-3636-0x000000001CD90000-0x000000001CD9C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3744-3638-0x000000001CE90000-0x000000001CEDE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3744-96-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-80-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-78-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-54-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-37-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-42-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-48-0x000000001BED0000-0x000000001C257000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3744-36-0x000000001BED0000-0x000000001C25E000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/3744-35-0x0000000000920000-0x0000000000F70000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/4372-23-0x0000000000400000-0x0000000000AF3000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4756-11-0x0000000000400000-0x0000000000B37000-memory.dmp

      Filesize

      7.2MB

      Download

    • memory/4944-3659-0x000001B79B7C0000-0x000001B79B7E2000-memory.dmp

      Filesize

      136KB

      Download