hiverat | f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35

Resubmissions

17-02-2021 19:37

210217-gyxbqal2ys 3

01-12-2020 14:48

201201-b4k57571mn 10

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7v20201028
submitted
01-12-2020 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW SC.cmd.exe
Size

14KB
MD5

870ffbc1a133083f10fadf93cf28f706
SHA1

eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b
SHA256

f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35
SHA512

f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b

Score

10^/10

hiverat evasion persistence rat stealer trojan

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NEW SC.cmd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEW SC.cmd.exe\""	NEW SC.cmd.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

HiveRAT Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1532-33-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1532-34-0x000000000044CD9E-mapping.dmp	family_hiverat
behavioral1/memory/1532-35-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1532-36-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEW SC.cmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEW SC.cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEW SC.cmd.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2232 cmd.exe

pid	process
2232	cmd.exe

Drops startup file 2 IoCs

Processes:

NEW SC.cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe	NEW SC.cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe	NEW SC.cmd.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

NEW SC.cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	NEW SC.cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	NEW SC.cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	NEW SC.cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	NEW SC.cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe = "0"	NEW SC.cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe = "0"	NEW SC.cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	NEW SC.cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	NEW SC.cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	NEW SC.cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NEW SC.cmd.exeWScript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\NEW SC.cmd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEW SC.cmd.exe"	NEW SC.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming \\ Avast.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEW SC.cmd.exe"	NEW SC.cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NEW SC.cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	NEW SC.cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	NEW SC.cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEW SC.cmd.exe

description pid process target process

PID 1840 set thread context of 1532 1840 NEW SC.cmd.exe NEW SC.cmd.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1740 timeout.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2268 PING.EXE

description	pid	process	target process
PID 1840 set thread context of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe

pid	process
1740	timeout.exe

pid	process
2268	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeNEW SC.cmd.exe

pid	process
1520	powershell.exe
664	powershell.exe
780	powershell.exe
1684	powershell.exe
664	powershell.exe
1684	powershell.exe
1520	powershell.exe
780	powershell.exe
1532	NEW SC.cmd.exe
1532	NEW SC.cmd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

NEW SC.cmd.exepowershell.exepowershell.exepowershell.exepowershell.exeNEW SC.cmd.exe

description	pid	process
Token: SeDebugPrivilege	1840	NEW SC.cmd.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1532	NEW SC.cmd.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

NEW SC.cmd.execmd.exeNEW SC.cmd.exeexplorer.execmd.exe

description	pid	process	target process
PID 1840 wrote to memory of 1748	1840	NEW SC.cmd.exe	cmd.exe
PID 1840 wrote to memory of 1748	1840	NEW SC.cmd.exe	cmd.exe
PID 1840 wrote to memory of 1748	1840	NEW SC.cmd.exe	cmd.exe
PID 1840 wrote to memory of 1748	1840	NEW SC.cmd.exe	cmd.exe
PID 1748 wrote to memory of 1740	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 1740	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 1740	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 1740	1748	cmd.exe	timeout.exe
PID 1840 wrote to memory of 664	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 664	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 664	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 664	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1684	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1684	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1684	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1684	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 780	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 780	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 780	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 780	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1520	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1520	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1520	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1520	1840	NEW SC.cmd.exe	powershell.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1840 wrote to memory of 1532	1840	NEW SC.cmd.exe	NEW SC.cmd.exe
PID 1532 wrote to memory of 904	1532	NEW SC.cmd.exe	WScript.exe
PID 1532 wrote to memory of 904	1532	NEW SC.cmd.exe	WScript.exe
PID 1532 wrote to memory of 904	1532	NEW SC.cmd.exe	WScript.exe
PID 1532 wrote to memory of 904	1532	NEW SC.cmd.exe	WScript.exe
PID 1532 wrote to memory of 980	1532	NEW SC.cmd.exe	explorer.exe
PID 1532 wrote to memory of 980	1532	NEW SC.cmd.exe	explorer.exe
PID 1532 wrote to memory of 980	1532	NEW SC.cmd.exe	explorer.exe
PID 1532 wrote to memory of 980	1532	NEW SC.cmd.exe	explorer.exe
PID 1840 wrote to memory of 1904	1840	explorer.exe	WScript.exe
PID 1840 wrote to memory of 1904	1840	explorer.exe	WScript.exe
PID 1840 wrote to memory of 1904	1840	explorer.exe	WScript.exe
PID 1532 wrote to memory of 2232	1532	NEW SC.cmd.exe	cmd.exe
PID 1532 wrote to memory of 2232	1532	NEW SC.cmd.exe	cmd.exe
PID 1532 wrote to memory of 2232	1532	NEW SC.cmd.exe	cmd.exe
PID 1532 wrote to memory of 2232	1532	NEW SC.cmd.exe	cmd.exe
PID 2232 wrote to memory of 2268	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 2268	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 2268	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 2268	2232	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe
"C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 4.638
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\timeout.exe
timeout 4.638
3⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe
"C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
3⤵
- Adds Run key to start application
PID:904

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
3⤵
PID:980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 500 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 500
4⤵
- Runs ping.exe
PID:2268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
2⤵
- Adds Run key to start application
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs
MD5
5d714082ad8fee00bc16741de8e79fdf

SHA1
b4eb28a309103dbb49e77a06a6d5dacaef1af70c

SHA256
8d5e64e451d157e463e81a1bb013b6aa96bdad0bf15103d8560628c0e038d38b

SHA512
5bb0983e2db9acbdd317091313b68db8fb0eb531f2cad4dd2fd4ff2bc2bf64abe8e5d327839a1c212ebffe46c5f448ec7154334b267e3e91767ac98292ff51f5

Download Submit
C:\Users\Admin\AppData\Local\Execution2.vbs
MD5
458841d642abb8d0ca9d4d18daaf8cd4

SHA1
f38e4a187ae5df2da29e2b63f33c62f5cbce45ac

SHA256
6a37a7f21cb1937bca4c31a9286f5f5d3b65826e86ea5b4b2bf5def1f2675244

SHA512
b8d5c588de619bb7ebe07c7490ff334c6985d1bf8c535d7df0c48c053abeba5b44336b4a4e2ffec50a737a4d50830888e57fe7b560ec8efb909a9cbe1ab24df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bfaf74-c48a-406b-812c-2684df821d22
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0d1685f9-d3d2-446b-9d3a-e90ae1e51548
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46587d2c-a7d2-4766-84de-c237e5491def
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_828bb5a1-7f09-4367-995b-b151134a81f9
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fdfd0653-3151-498d-aafa-ff4b7267fee8
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7abca08827a7fb27150ff21ab0352361

SHA1
9ec3cb64a828082aaed1cdf45f7529d1a11a37dc

SHA256
c15be6da82428f67d602c835d64578e7a1f55a55864ec6ad35eff08d4fcdd5c8

SHA512
39148d0198130adbbd2a18f8a553187b23ff18ad0c8f5faf1cb8dcd95ddf7139fff420a2efd7ae7c04f96e195226ed55d3518498e9b0550d4e37fdaec7152b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
33f5f5485c3876392042504fa93954ab

SHA1
6ff95f0a1733dd13d78ac38488a0ddffbd6ae9eb

SHA256
fbff3867faa072bf69b30bc46be1bdecafd665927b38a3eaf6922dbe8657f792

SHA512
d0d139c0def4a82ef2ca3dccfdd84fd3c7af8d6b8858b2482a52c3361af555ef21f9a9b4bc06ee6c9e5bb77e6f443037e8012252d2a74d13ae56ad7052a41c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2ab4e95dd9adcc89a546d5043fd7a391

SHA1
79b3c03beb398d75a000710edd3907a824c68315

SHA256
9ceff75b11943c4f153e2ffb20aec4c99595de34f494b510d6ba076ccd2caec2

SHA512
9e590388d994c3d763be12c8e3e5f244934677e02e8ead4f874741e65a8a4c6212e1648bd0dcaf0e07002b19c580cbfa42d4de7743ae8248300c29605b17c0d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2ab4e95dd9adcc89a546d5043fd7a391

SHA1
79b3c03beb398d75a000710edd3907a824c68315

SHA256
9ceff75b11943c4f153e2ffb20aec4c99595de34f494b510d6ba076ccd2caec2

SHA512
9e590388d994c3d763be12c8e3e5f244934677e02e8ead4f874741e65a8a4c6212e1648bd0dcaf0e07002b19c580cbfa42d4de7743ae8248300c29605b17c0d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b2dcb93d5df46ca227d8eeb427a8e646

SHA1
6f36f51eedccfadd672ec664fdbcb68286e9a39e

SHA256
942724f551477a541320c90e4089a2679ddbec02c73643d6d9027d567529409d

SHA512
243744a25912c0b5dfd4ba12aed5bf6b6608f490737069c6db0ff196a953375a2b55a5b92b831bca1471c63ae5d7c7d5703642df5b972b9e018cb625ba789075

Download Submit
memory/664-8-0x0000000000000000-mapping.dmp

Download
memory/664-25-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/664-13-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/780-10-0x0000000000000000-mapping.dmp

Download
memory/780-15-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/904-43-0x0000000000000000-mapping.dmp

Download
memory/980-45-0x0000000000000000-mapping.dmp

Download
memory/1520-16-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1520-11-0x0000000000000000-mapping.dmp

Download
memory/1520-29-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1532-35-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1532-33-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1532-34-0x000000000044CD9E-mapping.dmp

Download
memory/1532-36-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1532-37-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-17-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1684-42-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1684-67-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/1684-9-0x0000000000000000-mapping.dmp

Download
memory/1684-59-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1684-83-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1684-84-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1684-51-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1684-49-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1684-14-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-21-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1740-6-0x0000000000000000-mapping.dmp

Download
memory/1748-5-0x0000000000000000-mapping.dmp

Download
memory/1840-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1840-7-0x0000000005CC0000-0x0000000005DC1000-memory.dmp

Filesize
1.0MB

Download
memory/1840-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1904-60-0x0000000000000000-mapping.dmp

Download
memory/1904-71-0x00000000026C0000-0x00000000026C4000-memory.dmp

Filesize
16KB

Download
memory/2232-96-0x0000000000000000-mapping.dmp

Download
memory/2268-97-0x0000000000000000-mapping.dmp

Download